//// The contents of this file are subject to the terms of the Common Development and Distribution License (the License). You may not use this file except in compliance with the License. You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the specific language governing permission and limitations under the License. When distributing Covered Software, include this CDDL Header Notice in each file and include the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL Header, with the fields enclosed by brackets [] replaced by your own identifying information: "Portions copyright [year] [name of copyright owner]". Copyright 2017 ForgeRock AS. Portions Copyright 2024 3A Systems LLC. //// :figure-caption!: :example-caption!: :table-caption!: [#admin-tools-ref] == Tools Reference You can find bundle tools under the folder where you installed OpenDJ directory server as listed in xref:../admin-guide/chap-admin-tools.adoc#cli-overview["Command-Line Tools"] in the __Administration Guide__. [#backendstat-1] === backendstat — gather OpenDJ backend debugging information ==== Synopsis `backendstat` {subcommand} {options} [#backendstat-description] ==== Description This utility can be used to debug a backend. [#backendstat-options] ==== Options The `backendstat` command takes the following options: -- `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#backendstat-subcommands] ==== Subcommands The `backendstat` command supports the following subcommands: [#backendstat-dump-index] ===== backendstat dump-index Dump records from an index, decoding keys and values. Depending on index size, this subcommand can generate lots of output. [#backendstat-dump-index-options] ====== Options -- The `backendstat dump-index` command takes the following options: `-n | --backendID {backendName}`:: The backend ID of the backend. `-b | --baseDN {baseDN}`:: The base DN within the backend. `-i | --indexName {indexName}`:: The name of the index. `-q | --statsOnly`:: Do not display backend data, just statistics. + Default: false `-K | --maxKeyValue {maxKeyValue}`:: Only show records with keys that should be ordered before the provided value using the comparator for the database container. `-k | --minKeyValue {minKeyValue}`:: Only show records with keys that should be ordered after the provided value using the comparator for the database container. `-X | --maxHexKeyValue {maxKeyValue}`:: Only show records with keys that should be ordered before the provided value using the comparator for the database container. `-x | --minHexKeyValue {minKeyValue}`:: Only show records with keys that should be ordered after the provided value using the comparator for the database container. `-S | --maxDataSize {maxDataSize}`:: Only show records whose data is no larger than the provided value. + Default: -1 `-s | --minDataSize {minDataSize}`:: Only show records whose data is no smaller than the provided value. + Default: -1 `-p | --skipDecode`:: Do not try to decode backend data to their appropriate types. + Default: false -- [#backendstat-dump-raw-db] ===== backendstat dump-raw-db Dump the raw records in hexadecimal format for a low-level database within the pluggable backend's storage engine. Depending on index size, this subcommand can generate lots of output. [#backendstat-dump-raw-db-options] ====== Options -- The `backendstat dump-raw-db` command takes the following options: `-n | --backendID {backendName}`:: The backend ID of the backend. `-d | --dbName {databaseName}`:: The raw database name. `-q | --statsOnly`:: Do not display backend data, just statistics. + Default: false `-K | --maxKeyValue {maxKeyValue}`:: Only show records with keys that should be ordered before the provided value using the comparator for the database container. `-k | --minKeyValue {minKeyValue}`:: Only show records with keys that should be ordered after the provided value using the comparator for the database container. `-X | --maxHexKeyValue {maxKeyValue}`:: Only show records with keys that should be ordered before the provided value using the comparator for the database container. `-x | --minHexKeyValue {minKeyValue}`:: Only show records with keys that should be ordered after the provided value using the comparator for the database container. `-S | --maxDataSize {maxDataSize}`:: Only show records whose data is no larger than the provided value. + Default: -1 `-s | --minDataSize {minDataSize}`:: Only show records whose data is no smaller than the provided value. + Default: -1 `-l | --singleLine`:: Write hexadecimal data on a single line instead of pretty format. + Default: false -- [#backendstat-list-backends] ===== backendstat list-backends List the pluggable backends. [#backendstat-list-base-dns] ===== backendstat list-base-dns List the base DNs in a backend. [#backendstat-list-base-dns-options] ====== Options -- The `backendstat list-base-dns` command takes the following options: `-n | --backendID {backendName}`:: The backend ID of the backend. -- [#backendstat-list-indexes] ===== backendstat list-indexes List the indexes associated with a pluggable backend. This subcommand may take a long time to complete depending on the size of the backend. [#backendstat-list-indexes-options] ====== Options -- The `backendstat list-indexes` command takes the following options: `-n | --backendID {backendName}`:: The backend ID of the backend. `-b | --baseDN {baseDN}`:: The base DN within the backend. -- [#backendstat-list-raw-dbs] ===== backendstat list-raw-dbs List the low-level databases within a pluggable backend's storage engine. This subcommand may take a long time to complete depending on the size of the backend. [#backendstat-list-raw-dbs-options] ====== Options -- The `backendstat list-raw-dbs` command takes the following options: `-n | --backendID {backendName}`:: The backend ID of the backend. `-u | --useSIUnits`:: Uses SI Units for printing sizes. + Default: false -- [#backendstat-show-index-status] ===== backendstat show-index-status Shows the status of indexes for a backend base DN. This subcommand can take a long time to complete, as it reads all indexes for all backends. -- When you run the 'list-index-status' command, the result is a table, followed by a "Total", which is the total number of indexes, followed by a list of indexes with "Over index-entry-limit keys" to show the values for which the number of entries exceeded the index entry limit. The table has the following columns. Index Name:: Name of the index, which takes the form __attr.type__ for attribute indexes, and vlv.__name__ for VLV indexes. Some indexes are for OpenDJ directory server's internal use. + Example: `givenName.caseIgnoreSubstringsMatch:6` Tree Name:: Name of the backend tree, which reflects how OpenDJ directory server organizes the data in the database. + Example: `/dc=example,dc=com/givenName.caseIgnoreSubstringsMatch:6` Index Valid:: This is `true` for valid indexes. If this is `false`, the index might be degraded. Verify the index, and rebuild the index if necessary. Record Count:: Number of indexed keys. Use the `backendstat dump-tree` command to see how many entry IDs correspond to each key. Over Index Entry Limit:: Number of keys for which there are too many values to maintain an index, based on the index entry limit. This is recorded as `-` for VLV indexes. + In other words, with the default index entry limit of 4000, if every user in your large directory has an email address ending in `@example.com`, and a substring index with default substring length of 6 is maintained for `mail`, then OpenDJ directory server does not maintain indexes for keys corresponding to substrings in `@example.com`. + As a result, an LDAP search with the filter `"(mail=*@example.com)"` becomes an unindexed search even though a substring index exists for the mail attribute. By default OpenDJ directory server does not allow unindexed searches except by privileged users. This is usually exactly the behavior you want in order to prevent client applications from sending searches that return every user in the directory for example. Clients should refine their search filters instead. 95%, 90%, 85%:: Number of keys for which the number of values is approaching the index entry limit, having at least the specified percentage. This is a measure of how full the entry ID lists are. -- [#backendstat-show-index-status-options] ====== Options -- The `backendstat show-index-status` command takes the following options: `-n | --backendID {backendName}`:: The backend ID of the backend. `-b | --baseDN {baseDN}`:: The base DN within the backend. -- [#d1822e699] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e716] ==== Examples The following example displays index information. [source, console] ---- $ bin/backendstat dump-index -n userRoot -b dc=example,dc=com -i id2childrencount Key (len 2): 1#52 Value (len 8): 1 Key (len 2): 2#52 Value (len 8): 500000 Key (len 9): Total Children Count Value (len 8): 500001 Total Records: 3 Total / Average Key Size: 13 bytes / 4 bytes Total / Average Data Size: 24 bytes / 8 bytes ---- ''' [#backup-1] === backup — back up OpenDJ directory data ==== Synopsis `backup` [#backup-description] ==== Description This utility can be used to back up one or more Directory Server backends. [#backup-options] ==== Options The `backup` command takes the following options: -- Command options: `-a | --backUpAll`:: Back up all backends in the server. + Default: false `-A | --hash`:: Generate a hash of the backup contents. + Default: false `-B | --incrementalBaseID {backupID}`:: Backup ID of the source archive for an incremental backup. `-c | --compress`:: Compress the backup contents. + Default: false `-d | --backupDirectory {backupDir}`:: Path to the target directory for the backup file(s). `-i | --incremental`:: Perform an incremental backup rather than a full backup. + Default: false `-I | --backupID {backupID}`:: Use the provided identifier for the backup. `-n | --backendID {backendName}`:: Backend ID for the backend to archive. `-s | --signHash`:: Sign the hash of the backup contents. + Default: false `-y | --encrypt`:: Encrypt the backup contents. + Default: false -- -- Task Backend Connection Options `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Task Scheduling Options `--completionNotify {emailAddress}`:: Email address of a recipient to be notified when the task completes. This option may be specified more than once. `--dependency {taskID}`:: ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution. `--errorNotify {emailAddress}`:: Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once. `--failedDependencyAction {action}`:: Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL. `--recurringTask {schedulePattern}`:: Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern. `-t | --start {startTime}`:: Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. -- -- Utility input/output options: `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e1059] ==== Exit Codes -- 0:: The command completed successfully. 1:: An error occurred. -- [#d1822e1076] ==== Examples The following example backs up all user data while the server is online. [source, console] ---- $ backup -p 4444 -D "cn=Directory Manager" -w password \ -a -d /path/to/opendj/bak -t 0 Backup task 20110613143801866 scheduled to start ... ---- The following example schedules back up of all user data every night at 2 AM when the server is online, and notifies diradmin@example.com when finished, or on error. [source, console] ---- $ backup -p 4444 -D "cn=Directory Manager" -w password -a \ -d /path/to/opendj/bak --recurringTask "00 02 * * *" \ --completionNotify diradmin@example.com --errorNotify diradmin@example.com Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0 scheduled successfully ---- The following example backs up all user data while the server is offline. [source, console] ---- $ stop-ds Stopping Server... ... $ backup --backupAll --backupDirectory /path/to/opendj/bak ... msg=The backup process completed successfully $ start-ds ... The Directory Server has started successfully ---- ''' [#base64-1] === base64 — encode and decode base64 strings ==== Synopsis `base64` {subcommand} {options} [#base64-description] ==== Description This utility can be used to encode and decode information using base64. [#base64-options] ==== Options The `base64` command takes the following options: -- `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#base64-subcommands] ==== Subcommands The `base64` command supports the following subcommands: [#base64-decode] ===== base64 decode Decode base64-encoded information into raw data. When no options are specified, this subcommand reads from standard input and writes to standard output. [#base64-decode-options] ====== Options -- The `base64 decode` command takes the following options: `-d | --encodedData {data}`:: The base64-encoded data to be decoded. `-f | --encodedDataFile {path}`:: The path to a file containing the base64-encoded data to be decoded. `-o | --toRawFile {path}`:: The path to a file to which the raw base64-decoded data should be written. -- [#base64-encode] ===== base64 encode Encode raw data using base64. When no options are specified, this subcommand reads from standard input and writes to standard output. [#base64-encode-options] ====== Options -- The `base64 encode` command takes the following options: `-d | --rawData {data}`:: The raw data to be base64 encoded. `-f | --rawDataFile {path}`:: The path to a file containing the raw data to be base64 encoded. `-o | --toEncodedFile {path}`:: The path to a file to which the base64-encoded data should be written. -- [#d1822e1264] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e1281] ==== Examples The following command shows the changes from the external change log in human-readable format. [source, console] ---- $ base64 decode -d YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UK\ LQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2V\ yLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW\ 1lc3RhbXA6IDIwMTEwNjEzMDcxMjEwWgotCg== add: description description: A third change - replace: modifiersName modifiersName: cn=Directory Manager,cn=Root DNs,cn=config - replace: modifyTimestamp modifyTimestamp: 20110613071210Z - ---- ''' [#control-panel-1] === control-panel — start the OpenDJ graphical admin interface ==== Synopsis `control-panel` [#control-panel-description] ==== Description This utility can be used to display the Control Panel window which displays basic server information and allows to do some basic administration tasks on the server. If no host name or port is provided, the tool will try to connect to the local server. [#control-panel-options] ==== Options The `control-panel` command takes the following options: -- Command options: `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-r | --remote`:: Connect to a remote server. + Default: false -- -- LDAP connection options: `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e1434] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e1451] ==== Examples The following example starts the Control Panel on a remote host. [source, console] ---- $ control-panel -r -h opendj.example.com -p 4444 & ---- ''' [#create-rc-script-1] === create-rc-script — script to manage OpenDJ as a service on UNIX ==== Synopsis `create-rc-script` [#create-rc-script-description] ==== Description Create an RC script that may be used to start, stop, and restart the Directory Server on UNIX-based systems. [#create-rc-script-options] ==== Options The `create-rc-script` command takes the following options: -- Command options: `-f | --outputFile {path}`:: The path to the output file to create. `-j | --javaHome {path}`:: The path to the Java installation that should be used to run the server. `-J | --javaArgs {args}`:: A set of arguments that should be passed to the JVM when running the server. `-u | --userName {userName}`:: The name of the user account under which the server should run. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e1555] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e1572] ==== Examples The following example adds a script to start OpenDJ at boot time on a Debian-based system, and then updates the runlevel system to use the script. [source, console] ---- $ sudo create-rc-script -f /etc/init.d/opendj -u opendj-user $ sudo update-rc.d opendj ---- ''' [#dsconfig-1] === dsconfig — manage OpenDJ directory server configuration ==== Synopsis `dsconfig` {subcommand} {options} [#dsconfig-description] ==== Description This utility can be used to define a base configuration for the Directory Server. The `dsconfig` command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, `dsconfig` prompts you for administration connection information, including the host name, administration port number, administrator bind DN and administrator password. The `dsconfig` command then connects securely to the directory server over the administration port. Once connected it presents you with a menu-driven interface to the server configuration. When you pass connection information, subcommands, and additional options to `dsconfig`, the command runs in script mode and so is not interactive, though it can prompt you to ask whether to apply changes and whether to trust certificates (unless you use the `--no-prompt` and `--trustAll` options, respectively). You can prepare `dsconfig` batch scripts by running the tool with the `--commandFilePath` option in interactive mode, then reading from the batch file with the `--batchFilePath` option in script mode. Batch files can be useful when you have many `dsconfig` commands to run and want to avoid starting the JVM for each command. Alternatively, you can read commands from standard input by using the `--batch` option. The `dsconfig` command categorizes directory server configuration into __components__, also called __managed objects__. Actual components often inherit from a parent component type. For example, one component is a Connection Handler. An LDAP Connection Handler is a type of Connection Handler. You configure the LDAP Connection Handler component to specify how OpenDJ directory server handles LDAP connections coming from client applications. Configuration components have __properties__. For example, the LDAP Connection Handler component has properties such as `listen-port` and `allow-start-tls`. You can set the component's `listen-port` property to `389` to use the default LDAP port number. You can set the component's `allow-start-tls` property to `true` to permit LDAP client applications to use StartTLS. Much of the configuration you do with `dsconfig` involves setting component properties. [#dsconfig-options] ==== Options The `dsconfig` command takes the following options: -- Command options: `--batch`:: Reads from standard input a set of commands to be executed. + Default: false `--commandFilePath {path}`:: The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode. `--displayCommand`:: Display the equivalent non-interactive argument in the standard output when this command is run in interactive mode. + Default: false `--help-all`:: Display all subcommands. + Default: false `--help-core-server`:: Display subcommands relating to core server. + Default: false `--help-database`:: Display subcommands relating to caching and back-ends. + Default: false `--help-logging`:: Display subcommands relating to logging. + Default: false `--help-replication`:: Display subcommands relating to replication. + Default: false `--help-security`:: Display subcommands relating to authentication and authorization. + Default: false `--help-user-management`:: Display subcommands relating to user management. + Default: false -- -- Configuration Options `--advanced`:: Allows the configuration of advanced components and properties. + Default: false -- -- LDAP connection options: `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-E | --reportAuthzID`:: Use the authorization identity control. + Default: false `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `--usePasswordPolicyControl`:: Use the password policy request control. + Default: false `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `-F | --batchFilePath {batchFilePath}`:: Path to a batch file containing a set of commands to be executed. `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-Q | --quiet`:: Use quiet mode. + Default: false `-s | --script-friendly`:: Use script-friendly mode. + Default: false `-v | --verbose`:: Use verbose mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#dsconfig-subcommands] ==== Subcommands The `dsconfig` command provides many subcommands. Subcommands let you create, list, and delete entire configuration components, and also let you get and set component properties. Subcommands therefore have names that reflect these five actions. * create-__component__ * list-__component__s * delete-__component__ * get-__component__-prop * set-__component__-prop Here, __component__ names are names of managed object types. Subcommand __component__ names are lower-case, hyphenated versions of the friendly names. When you act on an actual configuration component, you provide the name of the component as an option argument. For example, the Log Publisher component has these corresponding subcommands. * `create-log-publisher` * `list-log-publishers` * `delete-log-publisher` * `get-log-publisher-prop` * `set-log-publisher-prop` When you create or delete Log Publisher components and when you get and set their configuration properties, you provide the name of the actual log publisher, which you can find by using the `list-log-publishers` subcommand. [source, console] ---- $ dsconfig \ list-log-publishers \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --trustAll Log Publisher : Type : enabled ------------------------------:------------------------:-------- File-Based Access Logger : file-based-access : true File-Based Audit Logger : file-based-audit : false File-Based Debug Logger : file-based-debug : false File-Based Error Logger : file-based-error : true File-Based HTTP Access Logger : file-based-http-access : false Replication Repair Logger : file-based-error : true $ dsconfig \ get-log-publisher-prop \ --publisher-name "File-Based Access Logger" \ --property rotation-policy \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --trustAll Property : Value(s) ----------------:-------------------------------------------------------------- rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation : Policy ---- Many subcommands let you set property values. Notice in the reference for the subcommands below that specific options are available for handling multi-valued properties. Whereas you can assign a single property value by using the `--set` option, you assign multiple values to a multi-valued property by using the `--add` option. You can reset the values of the multi-valued property by using the `--reset` option. Some property values take a time duration. Durations are expressed as numbers followed by units. For example `1 s` means one second, and `2 w` means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows. * `ms`: milliseconds * `s`: seconds * `m`: minutes * `h`: hours * `d`: days * `w`: weeks Use the following options to view help for subcommands. -- `dsconfig --help-all`:: Display all subcommands `dsconfig --help-core-server`:: Display subcommands relating to core server `dsconfig --help-database`:: Display subcommands relating to caching and back-ends `dsconfig --help-logging`:: Display subcommands relating to logging `dsconfig --help-replication`:: Display subcommands relating to replication `dsconfig --help-security`:: Display subcommands relating to authentication and authorization `dsconfig --help-user-management`:: Display subcommands relating to user management -- For help with individual subcommands, either use `dsconfig subcommand --help`, or start `dsconfig` in interactive mode, without specifying a subcommand. To view all component properties, use the `dsconfig list-properties` command. The `dsconfig` command supports the following subcommands: * link:../reference/index.html#dsconfig-create-access-log-filtering-criteria[dsconfig create-access-log-filtering-criteria]: Creates Access Log Filtering Criteria * link:../reference/index.html#dsconfig-create-account-status-notification-handler[dsconfig create-account-status-notification-handler]: Creates Account Status Notification Handlers * link:../reference/index.html#dsconfig-create-alert-handler[dsconfig create-alert-handler]: Creates Alert Handlers * link:../reference/index.html#dsconfig-create-attribute-syntax[dsconfig create-attribute-syntax]: Creates Attribute Syntaxes * link:../reference/index.html#dsconfig-create-backend[dsconfig create-backend]: Creates Backends * link:../reference/index.html#dsconfig-create-backend-index[dsconfig create-backend-index]: Creates Backend Indexes * link:../reference/index.html#dsconfig-create-backend-vlv-index[dsconfig create-backend-vlv-index]: Creates Backend VLV Indexes * link:../reference/index.html#dsconfig-create-certificate-mapper[dsconfig create-certificate-mapper]: Creates Certificate Mappers * link:../reference/index.html#dsconfig-create-connection-handler[dsconfig create-connection-handler]: Creates Connection Handlers * link:../reference/index.html#dsconfig-create-debug-target[dsconfig create-debug-target]: Creates Debug Targets * link:../reference/index.html#dsconfig-create-entry-cache[dsconfig create-entry-cache]: Creates Entry Caches * link:../reference/index.html#dsconfig-create-extended-operation-handler[dsconfig create-extended-operation-handler]: Creates Extended Operation Handlers * link:../reference/index.html#dsconfig-create-group-implementation[dsconfig create-group-implementation]: Creates Group Implementations * link:../reference/index.html#dsconfig-create-http-authorization-mechanism[dsconfig create-http-authorization-mechanism]: Creates HTTP Authorization Mechanisms * link:../reference/index.html#dsconfig-create-http-endpoint[dsconfig create-http-endpoint]: Creates HTTP Endpoints * link:../reference/index.html#dsconfig-create-identity-mapper[dsconfig create-identity-mapper]: Creates Identity Mappers * link:../reference/index.html#dsconfig-create-key-manager-provider[dsconfig create-key-manager-provider]: Creates Key Manager Providers * link:../reference/index.html#dsconfig-create-log-publisher[dsconfig create-log-publisher]: Creates Log Publishers * link:../reference/index.html#dsconfig-create-log-retention-policy[dsconfig create-log-retention-policy]: Creates Log Retention Policies * link:../reference/index.html#dsconfig-create-log-rotation-policy[dsconfig create-log-rotation-policy]: Creates Log Rotation Policies * link:../reference/index.html#dsconfig-create-matching-rule[dsconfig create-matching-rule]: Creates Matching Rules * link:../reference/index.html#dsconfig-create-monitor-provider[dsconfig create-monitor-provider]: Creates Monitor Providers * link:../reference/index.html#dsconfig-create-password-generator[dsconfig create-password-generator]: Creates Password Generators * link:../reference/index.html#dsconfig-create-password-policy[dsconfig create-password-policy]: Creates Authentication Policies * link:../reference/index.html#dsconfig-create-password-storage-scheme[dsconfig create-password-storage-scheme]: Creates Password Storage Schemes * link:../reference/index.html#dsconfig-create-password-validator[dsconfig create-password-validator]: Creates Password Validators * link:../reference/index.html#dsconfig-create-plugin[dsconfig create-plugin]: Creates Plugins * link:../reference/index.html#dsconfig-create-replication-domain[dsconfig create-replication-domain]: Creates Replication Domains * link:../reference/index.html#dsconfig-create-replication-server[dsconfig create-replication-server]: Creates Replication Servers * link:../reference/index.html#dsconfig-create-sasl-mechanism-handler[dsconfig create-sasl-mechanism-handler]: Creates SASL Mechanism Handlers * link:../reference/index.html#dsconfig-create-schema-provider[dsconfig create-schema-provider]: Creates Schema Providers * link:../reference/index.html#dsconfig-create-synchronization-provider[dsconfig create-synchronization-provider]: Creates Synchronization Providers * link:../reference/index.html#dsconfig-create-trust-manager-provider[dsconfig create-trust-manager-provider]: Creates Trust Manager Providers * link:../reference/index.html#dsconfig-create-virtual-attribute[dsconfig create-virtual-attribute]: Creates Virtual Attributes * link:../reference/index.html#dsconfig-delete-access-log-filtering-criteria[dsconfig delete-access-log-filtering-criteria]: Deletes Access Log Filtering Criteria * link:../reference/index.html#dsconfig-delete-account-status-notification-handler[dsconfig delete-account-status-notification-handler]: Deletes Account Status Notification Handlers * link:../reference/index.html#dsconfig-delete-alert-handler[dsconfig delete-alert-handler]: Deletes Alert Handlers * link:../reference/index.html#dsconfig-delete-attribute-syntax[dsconfig delete-attribute-syntax]: Deletes Attribute Syntaxes * link:../reference/index.html#dsconfig-delete-backend[dsconfig delete-backend]: Deletes Backends * link:../reference/index.html#dsconfig-delete-backend-index[dsconfig delete-backend-index]: Deletes Backend Indexes * link:../reference/index.html#dsconfig-delete-backend-vlv-index[dsconfig delete-backend-vlv-index]: Deletes Backend VLV Indexes * link:../reference/index.html#dsconfig-delete-certificate-mapper[dsconfig delete-certificate-mapper]: Deletes Certificate Mappers * link:../reference/index.html#dsconfig-delete-connection-handler[dsconfig delete-connection-handler]: Deletes Connection Handlers * link:../reference/index.html#dsconfig-delete-debug-target[dsconfig delete-debug-target]: Deletes Debug Targets * link:../reference/index.html#dsconfig-delete-entry-cache[dsconfig delete-entry-cache]: Deletes Entry Caches * link:../reference/index.html#dsconfig-delete-extended-operation-handler[dsconfig delete-extended-operation-handler]: Deletes Extended Operation Handlers * link:../reference/index.html#dsconfig-delete-group-implementation[dsconfig delete-group-implementation]: Deletes Group Implementations * link:../reference/index.html#dsconfig-delete-http-authorization-mechanism[dsconfig delete-http-authorization-mechanism]: Deletes HTTP Authorization Mechanisms * link:../reference/index.html#dsconfig-delete-http-endpoint[dsconfig delete-http-endpoint]: Deletes HTTP Endpoints * link:../reference/index.html#dsconfig-delete-identity-mapper[dsconfig delete-identity-mapper]: Deletes Identity Mappers * link:../reference/index.html#dsconfig-delete-key-manager-provider[dsconfig delete-key-manager-provider]: Deletes Key Manager Providers * link:../reference/index.html#dsconfig-delete-log-publisher[dsconfig delete-log-publisher]: Deletes Log Publishers * link:../reference/index.html#dsconfig-delete-log-retention-policy[dsconfig delete-log-retention-policy]: Deletes Log Retention Policies * link:../reference/index.html#dsconfig-delete-log-rotation-policy[dsconfig delete-log-rotation-policy]: Deletes Log Rotation Policies * link:../reference/index.html#dsconfig-delete-matching-rule[dsconfig delete-matching-rule]: Deletes Matching Rules * link:../reference/index.html#dsconfig-delete-monitor-provider[dsconfig delete-monitor-provider]: Deletes Monitor Providers * link:../reference/index.html#dsconfig-delete-password-generator[dsconfig delete-password-generator]: Deletes Password Generators * link:../reference/index.html#dsconfig-delete-password-policy[dsconfig delete-password-policy]: Deletes Authentication Policies * link:../reference/index.html#dsconfig-delete-password-storage-scheme[dsconfig delete-password-storage-scheme]: Deletes Password Storage Schemes * link:../reference/index.html#dsconfig-delete-password-validator[dsconfig delete-password-validator]: Deletes Password Validators * link:../reference/index.html#dsconfig-delete-plugin[dsconfig delete-plugin]: Deletes Plugins * link:../reference/index.html#dsconfig-delete-replication-domain[dsconfig delete-replication-domain]: Deletes Replication Domains * link:../reference/index.html#dsconfig-delete-replication-server[dsconfig delete-replication-server]: Deletes Replication Servers * link:../reference/index.html#dsconfig-delete-sasl-mechanism-handler[dsconfig delete-sasl-mechanism-handler]: Deletes SASL Mechanism Handlers * link:../reference/index.html#dsconfig-delete-schema-provider[dsconfig delete-schema-provider]: Deletes Schema Providers * link:../reference/index.html#dsconfig-delete-synchronization-provider[dsconfig delete-synchronization-provider]: Deletes Synchronization Providers * link:../reference/index.html#dsconfig-delete-trust-manager-provider[dsconfig delete-trust-manager-provider]: Deletes Trust Manager Providers * link:../reference/index.html#dsconfig-delete-virtual-attribute[dsconfig delete-virtual-attribute]: Deletes Virtual Attributes * link:../reference/index.html#dsconfig-get-access-control-handler-prop[dsconfig get-access-control-handler-prop]: Shows Access Control Handler properties * link:../reference/index.html#dsconfig-get-access-log-filtering-criteria-prop[dsconfig get-access-log-filtering-criteria-prop]: Shows Access Log Filtering Criteria properties * link:../reference/index.html#dsconfig-get-account-status-notification-handler-prop[dsconfig get-account-status-notification-handler-prop]: Shows Account Status Notification Handler properties * link:../reference/index.html#dsconfig-get-administration-connector-prop[dsconfig get-administration-connector-prop]: Shows Administration Connector properties * link:../reference/index.html#dsconfig-get-alert-handler-prop[dsconfig get-alert-handler-prop]: Shows Alert Handler properties * link:../reference/index.html#dsconfig-get-attribute-syntax-prop[dsconfig get-attribute-syntax-prop]: Shows Attribute Syntax properties * link:../reference/index.html#dsconfig-get-backend-index-prop[dsconfig get-backend-index-prop]: Shows Backend Index properties * link:../reference/index.html#dsconfig-get-backend-prop[dsconfig get-backend-prop]: Shows Backend properties * link:../reference/index.html#dsconfig-get-backend-vlv-index-prop[dsconfig get-backend-vlv-index-prop]: Shows Backend VLV Index properties * link:../reference/index.html#dsconfig-get-certificate-mapper-prop[dsconfig get-certificate-mapper-prop]: Shows Certificate Mapper properties * link:../reference/index.html#dsconfig-get-connection-handler-prop[dsconfig get-connection-handler-prop]: Shows Connection Handler properties * link:../reference/index.html#dsconfig-get-crypto-manager-prop[dsconfig get-crypto-manager-prop]: Shows Crypto Manager properties * link:../reference/index.html#dsconfig-get-debug-target-prop[dsconfig get-debug-target-prop]: Shows Debug Target properties * link:../reference/index.html#dsconfig-get-entry-cache-prop[dsconfig get-entry-cache-prop]: Shows Entry Cache properties * link:../reference/index.html#dsconfig-get-extended-operation-handler-prop[dsconfig get-extended-operation-handler-prop]: Shows Extended Operation Handler properties * link:../reference/index.html#dsconfig-get-external-changelog-domain-prop[dsconfig get-external-changelog-domain-prop]: Shows External Changelog Domain properties * link:../reference/index.html#dsconfig-get-global-configuration-prop[dsconfig get-global-configuration-prop]: Shows Global Configuration properties * link:../reference/index.html#dsconfig-get-group-implementation-prop[dsconfig get-group-implementation-prop]: Shows Group Implementation properties * link:../reference/index.html#dsconfig-get-http-authorization-mechanism-prop[dsconfig get-http-authorization-mechanism-prop]: Shows HTTP Authorization Mechanism properties * link:../reference/index.html#dsconfig-get-http-endpoint-prop[dsconfig get-http-endpoint-prop]: Shows HTTP Endpoint properties * link:../reference/index.html#dsconfig-get-identity-mapper-prop[dsconfig get-identity-mapper-prop]: Shows Identity Mapper properties * link:../reference/index.html#dsconfig-get-key-manager-provider-prop[dsconfig get-key-manager-provider-prop]: Shows Key Manager Provider properties * link:../reference/index.html#dsconfig-get-log-publisher-prop[dsconfig get-log-publisher-prop]: Shows Log Publisher properties * link:../reference/index.html#dsconfig-get-log-retention-policy-prop[dsconfig get-log-retention-policy-prop]: Shows Log Retention Policy properties * link:../reference/index.html#dsconfig-get-log-rotation-policy-prop[dsconfig get-log-rotation-policy-prop]: Shows Log Rotation Policy properties * link:../reference/index.html#dsconfig-get-matching-rule-prop[dsconfig get-matching-rule-prop]: Shows Matching Rule properties * link:../reference/index.html#dsconfig-get-monitor-provider-prop[dsconfig get-monitor-provider-prop]: Shows Monitor Provider properties * link:../reference/index.html#dsconfig-get-password-generator-prop[dsconfig get-password-generator-prop]: Shows Password Generator properties * link:../reference/index.html#dsconfig-get-password-policy-prop[dsconfig get-password-policy-prop]: Shows Authentication Policy properties * link:../reference/index.html#dsconfig-get-password-storage-scheme-prop[dsconfig get-password-storage-scheme-prop]: Shows Password Storage Scheme properties * link:../reference/index.html#dsconfig-get-password-validator-prop[dsconfig get-password-validator-prop]: Shows Password Validator properties * link:../reference/index.html#dsconfig-get-plugin-prop[dsconfig get-plugin-prop]: Shows Plugin properties * link:../reference/index.html#dsconfig-get-plugin-root-prop[dsconfig get-plugin-root-prop]: Shows Plugin Root properties * link:../reference/index.html#dsconfig-get-replication-domain-prop[dsconfig get-replication-domain-prop]: Shows Replication Domain properties * link:../reference/index.html#dsconfig-get-replication-server-prop[dsconfig get-replication-server-prop]: Shows Replication Server properties * link:../reference/index.html#dsconfig-get-root-dn-prop[dsconfig get-root-dn-prop]: Shows Root DN properties * link:../reference/index.html#dsconfig-get-root-dse-backend-prop[dsconfig get-root-dse-backend-prop]: Shows Root DSE Backend properties * link:../reference/index.html#dsconfig-get-sasl-mechanism-handler-prop[dsconfig get-sasl-mechanism-handler-prop]: Shows SASL Mechanism Handler properties * link:../reference/index.html#dsconfig-get-schema-provider-prop[dsconfig get-schema-provider-prop]: Shows Schema Provider properties * link:../reference/index.html#dsconfig-get-synchronization-provider-prop[dsconfig get-synchronization-provider-prop]: Shows Synchronization Provider properties * link:../reference/index.html#dsconfig-get-trust-manager-provider-prop[dsconfig get-trust-manager-provider-prop]: Shows Trust Manager Provider properties * link:../reference/index.html#dsconfig-get-virtual-attribute-prop[dsconfig get-virtual-attribute-prop]: Shows Virtual Attribute properties * link:../reference/index.html#dsconfig-get-work-queue-prop[dsconfig get-work-queue-prop]: Shows Work Queue properties * link:../reference/index.html#dsconfig-list-access-log-filtering-criteria[dsconfig list-access-log-filtering-criteria]: Lists existing Access Log Filtering Criteria * link:../reference/index.html#dsconfig-list-account-status-notification-handlers[dsconfig list-account-status-notification-handlers]: Lists existing Account Status Notification Handlers * link:../reference/index.html#dsconfig-list-alert-handlers[dsconfig list-alert-handlers]: Lists existing Alert Handlers * link:../reference/index.html#dsconfig-list-attribute-syntaxes[dsconfig list-attribute-syntaxes]: Lists existing Attribute Syntaxes * link:../reference/index.html#dsconfig-list-backend-indexes[dsconfig list-backend-indexes]: Lists existing Backend Indexes * link:../reference/index.html#dsconfig-list-backend-vlv-indexes[dsconfig list-backend-vlv-indexes]: Lists existing Backend VLV Indexes * link:../reference/index.html#dsconfig-list-backends[dsconfig list-backends]: Lists existing Backends * link:../reference/index.html#dsconfig-list-certificate-mappers[dsconfig list-certificate-mappers]: Lists existing Certificate Mappers * link:../reference/index.html#dsconfig-list-connection-handlers[dsconfig list-connection-handlers]: Lists existing Connection Handlers * link:../reference/index.html#dsconfig-list-debug-targets[dsconfig list-debug-targets]: Lists existing Debug Targets * link:../reference/index.html#dsconfig-list-entry-caches[dsconfig list-entry-caches]: Lists existing Entry Caches * link:../reference/index.html#dsconfig-list-extended-operation-handlers[dsconfig list-extended-operation-handlers]: Lists existing Extended Operation Handlers * link:../reference/index.html#dsconfig-list-group-implementations[dsconfig list-group-implementations]: Lists existing Group Implementations * link:../reference/index.html#dsconfig-list-http-authorization-mechanisms[dsconfig list-http-authorization-mechanisms]: Lists existing HTTP Authorization Mechanisms * link:../reference/index.html#dsconfig-list-http-endpoints[dsconfig list-http-endpoints]: Lists existing HTTP Endpoints * link:../reference/index.html#dsconfig-list-identity-mappers[dsconfig list-identity-mappers]: Lists existing Identity Mappers * link:../reference/index.html#dsconfig-list-key-manager-providers[dsconfig list-key-manager-providers]: Lists existing Key Manager Providers * link:../reference/index.html#dsconfig-list-log-publishers[dsconfig list-log-publishers]: Lists existing Log Publishers * link:../reference/index.html#dsconfig-list-log-retention-policies[dsconfig list-log-retention-policies]: Lists existing Log Retention Policies * link:../reference/index.html#dsconfig-list-log-rotation-policies[dsconfig list-log-rotation-policies]: Lists existing Log Rotation Policies * link:../reference/index.html#dsconfig-list-matching-rules[dsconfig list-matching-rules]: Lists existing Matching Rules * link:../reference/index.html#dsconfig-list-monitor-providers[dsconfig list-monitor-providers]: Lists existing Monitor Providers * link:../reference/index.html#dsconfig-list-password-generators[dsconfig list-password-generators]: Lists existing Password Generators * link:../reference/index.html#dsconfig-list-password-policies[dsconfig list-password-policies]: Lists existing Password Policies * link:../reference/index.html#dsconfig-list-password-storage-schemes[dsconfig list-password-storage-schemes]: Lists existing Password Storage Schemes * link:../reference/index.html#dsconfig-list-password-validators[dsconfig list-password-validators]: Lists existing Password Validators * link:../reference/index.html#dsconfig-list-plugins[dsconfig list-plugins]: Lists existing Plugins * link:../reference/index.html#dsconfig-list-properties[dsconfig list-properties]: Describes managed objects and their properties * link:../reference/index.html#dsconfig-list-replication-domains[dsconfig list-replication-domains]: Lists existing Replication Domains * link:../reference/index.html#dsconfig-list-replication-server[dsconfig list-replication-server]: Lists existing Replication Server * link:../reference/index.html#dsconfig-list-sasl-mechanism-handlers[dsconfig list-sasl-mechanism-handlers]: Lists existing SASL Mechanism Handlers * link:../reference/index.html#dsconfig-list-schema-providers[dsconfig list-schema-providers]: Lists existing Schema Providers * link:../reference/index.html#dsconfig-list-synchronization-providers[dsconfig list-synchronization-providers]: Lists existing Synchronization Providers * link:../reference/index.html#dsconfig-list-trust-manager-providers[dsconfig list-trust-manager-providers]: Lists existing Trust Manager Providers * link:../reference/index.html#dsconfig-list-virtual-attributes[dsconfig list-virtual-attributes]: Lists existing Virtual Attributes * link:../reference/index.html#dsconfig-set-access-control-handler-prop[dsconfig set-access-control-handler-prop]: Modifies Access Control Handler properties * link:../reference/index.html#dsconfig-set-access-log-filtering-criteria-prop[dsconfig set-access-log-filtering-criteria-prop]: Modifies Access Log Filtering Criteria properties * link:../reference/index.html#dsconfig-set-account-status-notification-handler-prop[dsconfig set-account-status-notification-handler-prop]: Modifies Account Status Notification Handler properties * link:../reference/index.html#dsconfig-set-administration-connector-prop[dsconfig set-administration-connector-prop]: Modifies Administration Connector properties * link:../reference/index.html#dsconfig-set-alert-handler-prop[dsconfig set-alert-handler-prop]: Modifies Alert Handler properties * link:../reference/index.html#dsconfig-set-attribute-syntax-prop[dsconfig set-attribute-syntax-prop]: Modifies Attribute Syntax properties * link:../reference/index.html#dsconfig-set-backend-index-prop[dsconfig set-backend-index-prop]: Modifies Backend Index properties * link:../reference/index.html#dsconfig-set-backend-prop[dsconfig set-backend-prop]: Modifies Backend properties * link:../reference/index.html#dsconfig-set-backend-vlv-index-prop[dsconfig set-backend-vlv-index-prop]: Modifies Backend VLV Index properties * link:../reference/index.html#dsconfig-set-certificate-mapper-prop[dsconfig set-certificate-mapper-prop]: Modifies Certificate Mapper properties * link:../reference/index.html#dsconfig-set-connection-handler-prop[dsconfig set-connection-handler-prop]: Modifies Connection Handler properties * link:../reference/index.html#dsconfig-set-crypto-manager-prop[dsconfig set-crypto-manager-prop]: Modifies Crypto Manager properties * link:../reference/index.html#dsconfig-set-debug-target-prop[dsconfig set-debug-target-prop]: Modifies Debug Target properties * link:../reference/index.html#dsconfig-set-entry-cache-prop[dsconfig set-entry-cache-prop]: Modifies Entry Cache properties * link:../reference/index.html#dsconfig-set-extended-operation-handler-prop[dsconfig set-extended-operation-handler-prop]: Modifies Extended Operation Handler properties * link:../reference/index.html#dsconfig-set-external-changelog-domain-prop[dsconfig set-external-changelog-domain-prop]: Modifies External Changelog Domain properties * link:../reference/index.html#dsconfig-set-global-configuration-prop[dsconfig set-global-configuration-prop]: Modifies Global Configuration properties * link:../reference/index.html#dsconfig-set-group-implementation-prop[dsconfig set-group-implementation-prop]: Modifies Group Implementation properties * link:../reference/index.html#dsconfig-set-http-authorization-mechanism-prop[dsconfig set-http-authorization-mechanism-prop]: Modifies HTTP Authorization Mechanism properties * link:../reference/index.html#dsconfig-set-http-endpoint-prop[dsconfig set-http-endpoint-prop]: Modifies HTTP Endpoint properties * link:../reference/index.html#dsconfig-set-identity-mapper-prop[dsconfig set-identity-mapper-prop]: Modifies Identity Mapper properties * link:../reference/index.html#dsconfig-set-key-manager-provider-prop[dsconfig set-key-manager-provider-prop]: Modifies Key Manager Provider properties * link:../reference/index.html#dsconfig-set-log-publisher-prop[dsconfig set-log-publisher-prop]: Modifies Log Publisher properties * link:../reference/index.html#dsconfig-set-log-retention-policy-prop[dsconfig set-log-retention-policy-prop]: Modifies Log Retention Policy properties * link:../reference/index.html#dsconfig-set-log-rotation-policy-prop[dsconfig set-log-rotation-policy-prop]: Modifies Log Rotation Policy properties * link:../reference/index.html#dsconfig-set-matching-rule-prop[dsconfig set-matching-rule-prop]: Modifies Matching Rule properties * link:../reference/index.html#dsconfig-set-monitor-provider-prop[dsconfig set-monitor-provider-prop]: Modifies Monitor Provider properties * link:../reference/index.html#dsconfig-set-password-generator-prop[dsconfig set-password-generator-prop]: Modifies Password Generator properties * link:../reference/index.html#dsconfig-set-password-policy-prop[dsconfig set-password-policy-prop]: Modifies Authentication Policy properties * link:../reference/index.html#dsconfig-set-password-storage-scheme-prop[dsconfig set-password-storage-scheme-prop]: Modifies Password Storage Scheme properties * link:../reference/index.html#dsconfig-set-password-validator-prop[dsconfig set-password-validator-prop]: Modifies Password Validator properties * link:../reference/index.html#dsconfig-set-plugin-prop[dsconfig set-plugin-prop]: Modifies Plugin properties * link:../reference/index.html#dsconfig-set-plugin-root-prop[dsconfig set-plugin-root-prop]: Modifies Plugin Root properties * link:../reference/index.html#dsconfig-set-replication-domain-prop[dsconfig set-replication-domain-prop]: Modifies Replication Domain properties * link:../reference/index.html#dsconfig-set-replication-server-prop[dsconfig set-replication-server-prop]: Modifies Replication Server properties * link:../reference/index.html#dsconfig-set-root-dn-prop[dsconfig set-root-dn-prop]: Modifies Root DN properties * link:../reference/index.html#dsconfig-set-root-dse-backend-prop[dsconfig set-root-dse-backend-prop]: Modifies Root DSE Backend properties * link:../reference/index.html#dsconfig-set-sasl-mechanism-handler-prop[dsconfig set-sasl-mechanism-handler-prop]: Modifies SASL Mechanism Handler properties * link:../reference/index.html#dsconfig-set-schema-provider-prop[dsconfig set-schema-provider-prop]: Modifies Schema Provider properties * link:../reference/index.html#dsconfig-set-synchronization-provider-prop[dsconfig set-synchronization-provider-prop]: Modifies Synchronization Provider properties * link:../reference/index.html#dsconfig-set-trust-manager-provider-prop[dsconfig set-trust-manager-provider-prop]: Modifies Trust Manager Provider properties * link:../reference/index.html#dsconfig-set-virtual-attribute-prop[dsconfig set-virtual-attribute-prop]: Modifies Virtual Attribute properties * link:../reference/index.html#dsconfig-set-work-queue-prop[dsconfig set-work-queue-prop]: Modifies Work Queue properties [#d1822e3561] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e3578] ==== Examples Much of the __OpenDJ Administration Guide__ consists of `dsconfig` examples with text in between. This section therefore remains short. The following example starts `dsconfig` in interactive, menu-driven mode on the default port of the current host. [source, console] ---- $ dsconfig -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password >>>> OpenDJ configuration console main menu What do you want to configure? 1) Access Control Handler 23) Log Publisher 2) Access Log Filtering Criteria 24) Log Retention Policy 3) Account Status Notification Handler 25) Log Rotation Policy 4) Administration Connector 26) Matching Rule 5) Alert Handler 27) Monitor Provider 6) Attribute Syntax 28) Password Generator 7) Backend 29) Password Policy 8) Backend Index 30) Password Storage Scheme 9) Backend VLV Index 31) Password Validator 10) Certificate Mapper 32) Plugin 11) Connection Handler 33) Plugin Root 12) Crypto Manager 34) Replication Domain 13) Debug Target 35) Replication Server 14) Entry Cache 36) Root DN 15) Extended Operation Handler 37) Root DSE Backend 16) External Changelog Domain 38) SASL Mechanism Handler 17) Global Configuration 39) Schema Provider 18) Group Implementation 40) Synchronization Provider 19) HTTP Authorization Mechanism 41) Trust Manager Provider 20) HTTP Endpoint 42) Virtual Attribute 21) Identity Mapper 43) Work Queue 22) Key Manager Provider q) quit Enter choice: ---- The following example demonstrates generating a batch file that corresponds to an interactive session enabling the debug log. The example then demonstrates using a modified batch file to disable the debug log. [source, console] ---- $ dsconfig \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --commandFilePath ~/enable-debug-log.batch ... $ cat ~/enable-debug-log.batch # dsconfig session start date: 19/Oct/2011:08:52:22 +0000 # Session operation number: 1 # Operation date: 19/Oct/2011:08:55:06 +0000 dsconfig set-log-publisher-prop \ --publisher-name File-Based\ Debug\ Logger \ --set enabled:true \ --hostname opendj.example.com \ --port 4444 \ --trustStorePath /path/to/opendj/config/admin-truststore \ --bindDN cn=Directory\ Manager \ --bindPassword ****** \ --no-prompt $ cp ~/enable-debug-log.batch ~/disable-debug-log.batch $ vi ~/disable-debug-log.batch $ cat ~/disable-debug-log.batch set-log-publisher-prop \ --publisher-name File-Based\ Debug\ Logger \ --set enabled:false \ --hostname opendj.example.com \ --port 4444 \ --trustStorePath /path/to/opendj/config/admin-truststore \ --bindDN cn=Directory\ Manager \ --bindPassword password \ --no-prompt $ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt set-log-publisher-prop --publisher-name File-Based Debug Logger --set enabled:false --hostname opendj.example.com --port 4444 --trustStorePath /path/to/opendj/config/admin-truststore --bindDN cn=Directory Manager --bindPassword password --no-prompt $ ---- Notice that the original command file looks like a shell script with the bind password value replaced by asterisks. To pass the content as a batch file to `dsconfig`, strip `dsconfig` itself, and include the bind password for the administrative user or replace that option with an alternative, such as reading the password from a file. ''' [#dsjavaproperties-1] === dsjavaproperties — apply OpenDJ Java home and JVM settings ==== Synopsis `dsjavaproperties` [#dsjavaproperties-description] ==== Description This utility can be used to change the java arguments and java home that are used by the different server commands. Before launching the command, edit the properties file located in /path/to/opendj/config/java.properties to specify the java arguments and java home. When you have edited the properties file, run this command for the changes to be taken into account. Note that the changes will only apply to this server installation. No modifications will be made to your environment variables. [#dsjavaproperties-options] ==== Options The `dsjavaproperties` command takes the following options: -- Utility input/output options: `-Q | --quiet`:: Use quiet mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e3721] ==== Files This command depends on the content of the `config/java.properties` file. [#d1822e3730] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e3747] ==== Examples The following example demonstrates a successful run. [source, console] ---- $ dsjavaproperties The operation was successful. The server commands will use the java arguments and java home specified in the properties file located in /path/to/opendj/config/java.properties ---- ''' [#dsreplication-1] === dsreplication — manage OpenDJ directory data replication ==== Synopsis `dsreplication` {subcommand} {options} [#dsreplication-description] ==== Description This utility can be used to configure replication between servers so that the data of the servers is synchronized. For replication to work you must first enable replication using the 'enable' subcommand and then initialize the contents of one of the servers with the contents of the other using the 'initialize' subcommand. [#dsreplication-options] ==== Options The `dsreplication` command takes the following options: -- Command options: `-b | --baseDN {baseDN}`:: Base DN of the data to be replicated, initialized or for which we want to disable replication. Multiple base DNs can be provided by using this option multiple times. `--commandFilePath {path}`:: The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode. `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `--displayCommand`:: Display the equivalent non-interactive argument in the standard output when this command is run in interactive mode. + Default: false `-j | --adminPasswordFile {bindPasswordFile}`:: The file containing the password of the global administrator. `-w | --adminPassword {bindPassword}`:: The global administrator password. -- -- Configuration Options `--advanced`:: Allows the configuration of advanced components and properties. + Default: false -- -- LDAP connection options: `-I | --adminUID {adminUID}`:: User ID of the Global Administrator to use to bind to the server. For the 'enable' subcommand if no Global Administrator was defined previously for none of the server the Global Administrator will be created using the provided data. + Default: admin `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-Q | --quiet`:: Use quiet mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#dsreplication-subcommands] ==== Subcommands The `dsreplication` command supports the following subcommands: [#dsreplication-disable] ===== dsreplication disable Disables replication on the specified server for the provided base DN and removes references in the other servers with which it is replicating data. [#dsreplication-disable-options] ====== Options -- The `dsreplication disable` command takes the following options: `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-D | --bindDN {bindDN}`:: DN to use to bind to the server where we want to disable replication. This option must be used when no Global Administrator has been defined on the server or if the user does not want to remove references in the other replicated servers. The password provided for the Global Administrator will be used when specifying this option. + Default: cn=Directory Manager `-a | --disableReplicationServer`:: Disable the replication server. The replication port and change log are disabled on the specified server. + Default: false `--disableAll`:: Disable the replication configuration on the specified server. The contents of the server are no longer replicated and the replication server (changelog and replication port) is disabled if it is configured. + Default: false -- [#dsreplication-enable] ===== dsreplication enable Updates the configuration of the servers to replicate the data under the specified base DN. If one of the specified servers is already replicating the data under the base DN with other servers, executing this subcommand will update the configuration of all the servers (so it is sufficient to execute the command line once for each server we add to the replication topology). [#dsreplication-enable-options] ====== Options -- The `dsreplication enable` command takes the following options: `-h | --host1 {host}`:: Fully qualified host name or IP address of the first server whose contents will be replicated. + Default: localhost.localdomain `-p | --port1 {port}`:: Directory server administration port number of the first server whose contents will be replicated. + Default: 4444 `-D | --bindDN1 {bindDN}`:: DN to use to bind to the first server whose contents will be replicated. If not specified the global administrator will be used to bind. + Default: cn=Directory Manager `--bindPassword1 {bindPassword}`:: Password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind. `--bindPasswordFile1 {bindPasswordFile}`:: File containing the password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind. `-r | --replicationPort1 {port}`:: Port that will be used by the replication mechanism in the first server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the first server. + Default: 8989 `--secureReplication1`:: Specifies whether the communication through the replication port of the first server is encrypted or not. This option will only be taken into account the first time replication is configured on the first server. + Default: false `--noReplicationServer1`:: Do not configure a replication port or change log on the first server. The first server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure. + Default: false `--onlyReplicationServer1`:: Configure only a change log and replication port on the first server. The first server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers. + Default: false `-O | --host2 {host}`:: Fully qualified host name or IP address of the second server whose contents will be replicated. + Default: localhost.localdomain `--port2 {port}`:: Directory server administration port number of the second server whose contents will be replicated. + Default: 4444 `--bindDN2 {bindDN}`:: DN to use to bind to the second server whose contents will be replicated. If not specified the global administrator will be used to bind. + Default: cn=Directory Manager `--bindPassword2 {bindPassword}`:: Password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind. `-F | --bindPasswordFile2 {bindPasswordFile}`:: File containing the password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind. `-R | --replicationPort2 {port}`:: Port that will be used by the replication mechanism in the second server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the second server. + Default: 8989 `--secureReplication2`:: Specifies whether the communication through the replication port of the second server is encrypted or not. This option will only be taken into account the first time replication is configured on the second server. + Default: false `--noReplicationServer2`:: Do not configure a replication port or change log on the second server. The second server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure. + Default: false `--onlyReplicationServer2`:: Configure only a change log and replication port on the second server. The second server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers. + Default: false `-S | --skipPortCheck`:: Skip the check to determine whether the specified replication ports are usable. + Default: false `--noSchemaReplication`:: Do not replicate the schema between the servers. + Default: false `--useSecondServerAsSchemaSource`:: Use the second server to initialize the schema of the first server. If this option nor option --noSchemaReplication are specified the schema of the first server will be used to initialize the schema of the second server. + Default: false -- [#dsreplication-initialize] ===== dsreplication initialize Initialize the contents of the data under the specified base DN on the destination server with the contents on the source server. This operation is required after enabling replication in order replication to work ('initialize-all' can also be used for this purpose). [#dsreplication-initialize-options] ====== Options -- The `dsreplication initialize` command takes the following options: `-h | --hostSource {host}`:: Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server. + Default: localhost.localdomain `-p | --portSource {port}`:: Directory server administration port number of the source server whose contents will be used to initialize the destination server. + Default: 4444 `-O | --hostDestination {host}`:: Fully qualified host name or IP address of the destination server whose contents will be initialized. + Default: localhost.localdomain `--portDestination {port}`:: Directory server administration port number of the destination server whose contents will be initialized. + Default: 4444 -- [#dsreplication-initialize-all] ===== dsreplication initialize-all Initialize the contents of the data under the specified base DN on all the servers whose contents are being replicated with the contents on the specified server. This operation is required after enabling replication for replication to work ('initialize' applied to each server can also be used for this purpose). [#dsreplication-initialize-all-options] ====== Options -- The `dsreplication initialize-all` command takes the following options: `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-p | --port {port}`:: Directory server administration port number. + Default: 4444 -- [#dsreplication-post-external-initialization] ===== dsreplication post-external-initialization This subcommand must be called after initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that have been initialized and you must provide the credentials of any of the servers that are being replicated. See the usage of the subcommand 'pre-external-initialization' for more information. [#dsreplication-post-external-initialization-options] ====== Options -- The `dsreplication post-external-initialization` command takes the following options: `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-p | --port {port}`:: Directory server administration port number. + Default: 4444 -- [#dsreplication-pre-external-initialization] ===== dsreplication pre-external-initialization This subcommand must be called before initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that will be initialized and you must provide the credentials of any of the servers that are being replicated. After calling this subcommand, initialize the contents of all the servers in the topology (use the same LDIF file/binary copy on each of the servers), then call the subcommand 'post-external-initialization'. [#dsreplication-pre-external-initialization-options] ====== Options -- The `dsreplication pre-external-initialization` command takes the following options: `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-p | --port {port}`:: Directory server administration port number. + Default: 4444 -- [#dsreplication-purge-historical] ===== dsreplication purge-historical Launches a purge processing of the historical informations stored in the user entries by replication. Since this processing may take a while, you must specify the maximum duration for this processing. [#dsreplication-purge-historical-options] ====== Options -- The `dsreplication purge-historical` command takes the following options: `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `--maximumDuration {maximum duration}`:: This argument specifies the maximum duration the purge processing must last expressed in seconds. + Default: 3600 `-t | --start {startTime}`:: Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. `--recurringTask {schedulePattern}`:: Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern. `--completionNotify {emailAddress}`:: Email address of a recipient to be notified when the task completes. This option may be specified more than once. `--errorNotify {emailAddress}`:: Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once. `--dependency {taskID}`:: ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution. `--failedDependencyAction {action}`:: Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL. -- [#dsreplication-reset-change-number] ===== dsreplication reset-change-number Re-synchronizes the change-log changenumber on one server with the change-log changenumber of another. [#dsreplication-reset-change-number-options] ====== Options -- The `dsreplication reset-change-number` command takes the following options: `-h | --hostSource {host}`:: Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server. + Default: localhost.localdomain `-p | --portSource {port}`:: Directory server administration port number of the source server whose contents will be used to initialize the destination server. + Default: 4444 `-O | --hostDestination {host}`:: Fully qualified host name or IP address of the destination server whose contents will be initialized. + Default: localhost.localdomain `--portDestination {port}`:: Directory server administration port number of the destination server whose contents will be initialized. + Default: 4444 `--change-number {change number}`:: The change number to use as the basis for re-synchronization. -- [#dsreplication-status] ===== dsreplication status Displays a list with the basic replication configuration of the base DNs of the servers defined in the registration information. If no base DNs are specified as parameter the information for all base DNs is displayed. [#dsreplication-status-options] ====== Options -- The `dsreplication status` command takes the following options: `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-s | --script-friendly`:: Use script-friendly mode. + Default: false -- [#d1822e4589] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e4606] ==== Examples The following example enables and then initializes replication for a new replica on `opendj2.example.com` from an existing replica on `opendj.example.com`. [source, console] ---- $ dsreplication enable -I admin -w password -X -n -b dc=example,dc=com \ --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" \ --bindPassword1 password --replicationPort1 8989 \ --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager" \ --bindPassword2 password --replicationPort2 8989 Establishing connections ..... Done. Checking registration information ..... Done. Updating remote references on server opendj.example.com:4444 ..... Done. Configuring Replication port on server opendj2.example.com:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj2.example.com:4444 ..... Done. Updating registration configuration on server opendj.example.com:4444 ..... Done. Updating registration configuration on server opendj2.example.com:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj2.example.com:4444 ..... Done. Initializing registration information on server opendj2.example.com:4444 with the contents of server opendj.example.com:4444 ..... Done. Initializing schema on server opendj2.example.com:4444 with the contents of server opendj.example.com:4444 ..... Done. Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so). See /var/.../opends-replication-7958637258600693490.log for a detailed log of this operation. $ dsreplication initialize-all -I admin -w password -X -n -b dc=example,dc=com \ -h opendj.example.com -p 4444 Initializing base DN dc=example,dc=com with the contents from opendj.example.com:4444: 160 entries processed (100 % complete). Base DN initialized successfully. See /var/.../opends-replication-5020375834904394170.log for a detailed log of this operation. ---- ''' [#encode-password-1] === encode-password — encode a password with an OpenDJ storage scheme ==== Synopsis `encode-password` [#encode-password-description] ==== Description This utility can be used to encode user passwords with a specified storage scheme, or to determine whether a given clear-text value matches a provided encoded password. [#encode-password-options] ==== Options The `encode-password` command takes the following options: -- Command options: `-a | --authPasswordSyntax`:: Use the authentication password syntax rather than the user password syntax. + Default: false `-c | --clearPassword {clearPW}`:: Clear-text password to encode or to compare against an encoded password. `-e | --encodedPassword {encodedPW}`:: Encoded password to compare against the clear-text password. `-E | --encodedPasswordFile {file}`:: Encoded password file. `-f | --clearPasswordFile {file}`:: Clear-text password file. `-i | --interactivePassword`:: The password to encode or to compare against an encoded password is interactively asked to the user. + Default: false `-l | --listSchemes`:: List available password storage schemes. + Default: false `-r | --useCompareResultCode`:: Use the LDAP compare result as an exit code for the password comparison. + Default: false `-s | --storageScheme {scheme}`:: Scheme to use for the encoded password. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e4767] ==== Exit Codes -- 0:: The command completed successfully. 5:: The `-r` option was used, and the compare did not match. 6:: The `-r` option was used, and the compare did match. other:: An error occurred. -- [#d1822e4802] ==== Examples The following example encodes a password, and also shows comparison of a password with the encoded value. [source, console] ---- $ encode-password -l 3DES AES BASE64 BLOWFISH CLEAR CRYPT MD5 RC4 SHA SMD5 SSHA SSHA256 SSHA384 SSHA512 $ encode-password -c secret12 -s CRYPT Encoded Password: "{CRYPT}ZulJ6Dy3TFnrE" $ encode-password -c secret12 -s CRYPT -e "{CRYPT}ZulJ6Dy3TFnrE" -r The provided clear-text and encoded passwords match $ echo $? 6 ---- ''' [#export-ldif-1] === export-ldif — export OpenDJ directory data in LDIF ==== Synopsis `export-ldif` [#export-ldif-description] ==== Description This utility can be used to export data from a Directory Server backend in LDIF form. [#export-ldif-options] ==== Options The `export-ldif` command takes the following options: -- Command options: `-a | --appendToLDIF`:: Append an existing LDIF file rather than overwriting it. + Default: false `-b | --includeBranch {branchDN}`:: Base DN of a branch to include in the LDIF export. `-B | --excludeBranch {branchDN}`:: Base DN of a branch to exclude from the LDIF export. `-c | --compress`:: Compress the LDIF data as it is exported. + Default: false `-e | --excludeAttribute {attribute}`:: Attribute to exclude from the LDIF export. `-E | --excludeFilter {filter}`:: Filter to identify entries to exclude from the LDIF export. `-i | --includeAttribute {attribute}`:: Attribute to include in the LDIF export. `-I | --includeFilter {filter}`:: Filter to identify entries to include in the LDIF export. `-l | --ldifFile {ldifFile}`:: Path to the LDIF file to be written. `-n | --backendID {backendName}`:: Backend ID for the backend to export. `-O | --excludeOperational`:: Exclude operational attributes from the LDIF export. + Default: false `--wrapColumn {wrapColumn}`:: Column at which to wrap long lines (0 for no wrapping). + Default: 0 -- -- Task Backend Connection Options `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Task Scheduling Options `--completionNotify {emailAddress}`:: Email address of a recipient to be notified when the task completes. This option may be specified more than once. `--dependency {taskID}`:: ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution. `--errorNotify {emailAddress}`:: Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once. `--failedDependencyAction {action}`:: Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL. `--recurringTask {schedulePattern}`:: Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern. `-t | --start {startTime}`:: Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. -- -- Utility input/output options: `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e5173] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e5190] ==== Examples The following example exports data to a file, `Example.ldif`, with the server offline. [source, console] ---- $ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif ... category=BACKEND severity=INFORMATION ... ...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec) ---- ''' [#import-ldif-1] === import-ldif — import OpenDJ directory data from LDIF ==== Synopsis `import-ldif` [#import-ldif-description] ==== Description This utility can be used to import LDIF data into a Directory Server backend, overwriting existing data. It cannot be used to append data to the backend database. [#import-ldif-options] ==== Options The `import-ldif` command takes the following options: -- Command options: `-A | --templateFile {templateFile}`:: Path to a MakeLDIF template to use to generate the import data. `-b | --includeBranch {branchDN}`:: Base DN of a branch to include in the LDIF import. `-B | --excludeBranch {branchDN}`:: Base DN of a branch to exclude from the LDIF import. `-c | --isCompressed`:: LDIF file is compressed. + Default: false `--countRejects`:: Count the number of entries rejected by the server and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions). + Default: false `-e | --excludeAttribute {attribute}`:: Attribute to exclude from the LDIF import. `-E | --excludeFilter {filter}`:: Filter to identify entries to exclude from the LDIF import. `-F | --clearBackend`:: Remove all entries for all base DNs in the backend before importing. + Default: false `-i | --includeAttribute {attribute}`:: Attribute to include in the LDIF import. `-I | --includeFilter {filter}`:: Filter to identify entries to include in the LDIF import. `-l | --ldifFile {ldifFile}`:: Path to the LDIF file to be imported. `-n | --backendID {backendName}`:: Backend ID for the backend to import. `-O | --overwrite`:: Overwrite an existing rejects and/or skip file rather than appending to it. + Default: false `-R | --rejectFile {rejectFile}`:: Write rejected entries to the specified file. `-s | --randomSeed {seed}`:: Seed for the MakeLDIF random number generator. + Default: 0 `-S | --skipSchemaValidation`:: Skip schema validation during the LDIF import. + Default: false `--skipFile {skipFile}`:: Write skipped entries to the specified file. `--threadCount {count}`:: Number of threads used to read LDIF file during import. Default value (0) equals: 2 x (number of CPUs). + Default: 0 `--tmpdirectory {directory}`:: Path to temporary directory for index scratch files during LDIF import. + Default: import-tmp -- -- Task Backend Connection Options `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Task Scheduling Options `--completionNotify {emailAddress}`:: Email address of a recipient to be notified when the task completes. This option may be specified more than once. `--dependency {taskID}`:: ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution. `--errorNotify {emailAddress}`:: Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once. `--failedDependencyAction {action}`:: Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL. `--recurringTask {schedulePattern}`:: Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern. `-t | --start {startTime}`:: Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. -- -- Utility input/output options: `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-Q | --quiet`:: Use quiet mode (no output). + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e5612] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e5629] ==== Examples The following example exports data to a file, `Example.ldif`, with the server offline. [source, console] ---- $ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif ... category=BACKEND severity=INFORMATION ... ...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec) ---- ''' [#ldapcompare-1] === ldapcompare — perform LDAP compare operations ==== Synopsis `ldapcompare` 'attribute:value' "DN" ... [#ldapcompare-description] ==== Description This utility can be used to perform LDAP compare operations in the Directory Server. [#ldapcompare-options] ==== Options The `ldapcompare` command takes the following options: -- Command options: `--assertionFilter {filter}`:: Use the LDAP assertion control with the provided filter. `-c | --continueOnError`:: Continue processing even if there are errors. + Default: false `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-f | --filename {file}`:: File containing the DNs of the entries to compare. `-J | --control {controloid[:criticality[:value|::b64value|: 0:: An error occurred. -- [#d1822e8293] ==== Examples The following example demonstrates use of the command. [source, console] ---- $ cat /path/to/newuser.ldif dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: New User sn: User ou: People mail: newuser@example.com userPassword: changeme $ cat /path/to/newdiff.ldif dn: uid=newuser,ou=People,dc=example,dc=com changetype: modify add: userPassword userPassword: secret12 - delete: userPassword userPassword: changeme - add: description description: A new description. $ ldifmodify -s /path/to/newuser.ldif -m /path/to/newdiff.ldif -t neweruser.ldif $ cat neweruser.ldif dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: New User sn: User ou: People mail: newuser@example.com userPassword: secret12 description: A new description. ---- ''' [#ldifsearch-1] === ldifsearch — search LDIF with LDAP filters ==== Synopsis `ldifsearch` [filter] [attributes ...] [#ldifsearch-description] ==== Description This utility can be used to perform search operations against data in an LDIF file. [#ldifsearch-options] ==== Options The `ldifsearch` command takes the following options: -- Command options: `-b | --baseDN {baseDN}`:: The base DN for the search. Multiple base DNs may be specified by providing the option multiple times. If no base DN is provided, then the root DSE will be used. + Default: `-f | --filterFile {filterFile}`:: The path to the file containing the search filter(s) to use. If this is not provided, then the filter must be provided on the command line after all configuration options. `-l | --ldifFile {ldifFile}`:: LDIF file containing the data to search. Multiple files may be specified by providing the option multiple times. If no files are provided, the data will be read from standard input. `-o | --outputFile {outputFile}`:: The path to the output file to which the matching entries should be written. If this is not provided, then the data will be written to standard output. `-O | --overwriteExisting`:: Any existing output file should be overwritten rather than appending to it. + Default: false `-s | --searchScope {scope}`:: The scope for the search. It must be one of 'base', 'one', 'sub', or 'subordinate'. If it is not provided, then 'sub' will be used. + Default: sub `-t | --timeLimit {timeLimit}`:: Maximum length of time (in seconds) to spend processing. + Default: 0 `-z | --sizeLimit {sizeLimit}`:: Maximum number of matching entries to return. + Default: 0 -- -- Utility input/output options: `-T | --dontWrap`:: Long lines should not be wrapped. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e8466] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e8483] ==== Examples The following example demonstrates use of the command. [source, console] ---- $ ldifsearch -b dc=example,dc=com /path/to/Example.ldif uid=bjensen dn: uid=bjensen,ou=People,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: bjensen userpassword: hifalutin facsimiletelephonenumber: +1 408 555 1992 givenname: Barbara cn: Barbara Jensen cn: Babs Jensen telephonenumber: +1 408 555 1862 sn: Jensen roomnumber: 0209 homeDirectory: /home/bjensen mail: bjensen@example.com l: San Francisco ou: Product Development ou: People uidNumber: 1076 gidNumber: 1000 ---- You can also use `@objectclass` notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the `posixAccount` object class. [source, console] ---- $ ldifsearch --ldifFile /path/to/Example.ldif \ --baseDN dc=example,dc=com "(uid=bjensen)" @posixaccount dn: uid=bjensen,ou=People,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: bjensen userpassword: hifalutin cn: Barbara Jensen cn: Babs Jensen homeDirectory: /home/bjensen uidNumber: 1076 gidNumber: 1000 ---- ''' [#list-backends-1] === list-backends — list OpenDJ backends and base DNs ==== Synopsis `list-backends` [#list-backends-description] ==== Description This utility can be used to list the backends and base DNs configured in the Directory Server. [#list-backends-options] ==== Options The `list-backends` command takes the following options: -- Command options: `-b | --baseDN {baseDN}`:: Base DN for which to list the backend ID. `-n | --backendID {backendName}`:: Backend ID of the backend for which to list the base DNs. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e8595] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e8612] ==== Examples The following example demonstrates a successful run. [source, console] ---- $ list-backends Backend ID : Base DN -------------------:---------------------- adminRoot : cn=admin data ads-truststore : cn=ads-truststore backup : cn=backups config : cn=config monitor : cn=monitor myCompanyRoot : "dc=myCompany,dc=com" myOrgRoot : o=myOrg schema : cn=schema tasks : cn=tasks userRoot : "dc=example,dc=com" ---- ''' [#make-ldif-1] === make-ldif — generate test LDIF ==== Synopsis `make-ldif` [#make-ldif-description] ==== Description This utility can be used to generate LDIF data based on a definition in a template file. [#make-ldif-options] ==== Options The `make-ldif` command takes the following options: -- Command options: `-o | --ldifFile {file}`:: The path to the LDIF file to be written. `-s | --randomSeed {seed}`:: The seed to use to initialize the random number generator. + Default: 0 `-t | --templateFile {file}`:: The path to the template file with information about the LDIF data to generate. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e8714] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e8731] ==== Examples The following example uses the default template to generate LDIF. [source, console] ---- $ make-ldif -t ../config/MakeLDIF/example.template -o ../ldif/generated.ldif Processed 1000 entries Processed 2000 entries ... Processed 10000 entries LDIF processing complete. 10003 entries written ---- [#d1822e8746] ==== See Also xref:#make-ldif-template-5[make-ldif.template(5)] ''' [#make-ldif-template-5] === make-ldif.template — template file for the make-ldif command ==== Synopsis [source] ---- # Comment lines start with #. # # Notice that this synopsis includes blank lines after entries. # In the same way you would use blank lines after entries in normal LDIF, # leave empty lines after "entries" in template files. # Optionally include classes that define custom tags. # Custom tag classes extend org.opends.server.tools.makeldif.Tag and # must be on the class path when you run make-ldif. # include custom.makeldif.tag.ClassName ... # Optionally define constants used in the template. # To reference constants later, put brackets around the name: [constant-name] # define constant-name=value ... # Define branches by suffix DN, such as the following: # # dc=example,dc=com # ou=People,dc=example,dc=com # ou=Groups,dc=example,dc=com # # make-ldif generates the necessary object class definitions and RDNs. # # A branch can have subordinateTemplates that define templates to use for # the branch entry. # # A branch can have additional attributes generated on the branch entry. See # the Description below for more information on specifying attribute values. # branch: suffix-dn [subordinateTemplate: template-name:number ...] [attribute: attr-value ...] ... # Define entries using templates. # # A template can extend another template. # A template defines the RDN attribute(s) used for generated entries. # A template can have a subordinateTemplate that defines a template to use for # the generated entries. # # A template then defines attributes. See the Description below for more # information on specifying attribute values. # template: template-name [extends: template-name] rdnAttr: attribute[+attribute ...] [subordinateTemplate: template-name:number] [attribute: attr-value ...] ... ---- [#d1822e8826] ==== Description Template files specify how to build LDIF. They allow you to define variables, insert random values from other files, and generally build arbitrarily large LDIF files for testing purposes. You pass template files to the `make-ldif` command when generating LDIF. The Synopsis above shows the layout for a `make-ldif` template file. This section focuses on what you can do to specify entry attribute values, called __attr-value__ in the Synopsis section. .Specifying Attribute Values -- When specifying attribute values in `make-ldif` templates, you can use static text and constants that you have defined, enclosing names for constants in brackets, `[myConstant]`. You can use more than one constant per line, as in the following example. [source, ldif] ---- description: Description for [org] under [suffix] ---- You can also use two kinds of tags when specifying attribute values. One kind of tag gets replaced with the value of another attribute in the generated entry. Such tags are delimited with braces, `{ }`. For example, if your template includes definitions for first name and last name attributes: [source, ldif] ---- givenName: sn: ---- Then you can define a mail attribute that uses the values of both attributes, and an initials attribute that takes the first character of each. [source, ldif] ---- mail: {givenName}.{sn}@[myDomain] initials: {givenName:1}{sn:1} ---- The other kind of tag is delimited with `<` and `>`, as shown above in the example with `` and ``. Tag names are not case sensitive. Many tags can take arguments separated by colons, `:`, from the tag names within the tag. Use backslashes to escape literal start tag characters (`< [ {`) as shown in the following example, and to escape literal end tag characters within tags (`> ] }`). [source, ldif] ---- scimMail: \{"emails": \[\{"value": "{mail}", "type": "work", "primary": true}]} xml: \{uid}\ ---- OpenDJ supports the following tags. :: The DN tag gets replaced by the distinguished name of the current entry. An optional integer argument specifies the subcomponents of the DN to generate. For example, if the DN of the entry is `uid=bjensen,ou=People,dc=example,dc=com` `` gets replaced by `uid=bjensen`, and `` gets replaced by `dc=example,dc=com`. :: The File tag gets replaced by a line from a text file you specify. The File tag takes a required argument, the path to the text file, and an optional second argument, either `random` or `sequential`. For the file argument, either you specify an absolute path to the file such as ``, or you specify a path relative to the `/path/to/opendj/config/MakeLDIF/` directory such as ``. For the second argument, if you specify `sequential` then lines from the file are read in sequential order. Otherwise, lines from the file are read in random order. :: The first name tag gets replaced by a random line from `/path/to/opendj/config/MakeLDIF/first.names`. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available. :: The GUID tag gets replaced by a 128-bit, type 4 (random) universally unique identifier such as `f47ac10b-58cc-4372-a567-0e02b2c3d479`. :: The IfAbsent tag takes as its first argument the name of another attribute, and optionally as its second argument a value to use. This tag causes the attribute to be generated only if the named attribute is not present on the generated entry. Use this tag when you have used `` to define another attribute that is not always present on generated entries. :: The IfPresent takes as its first argument the name of another attribute, and optionally as its second argument a value to use. This tag causes the attribute to be generated only if the named attribute is also present on the generated entry. Use this tag when you have used `` to define another attribute that is sometimes present on generated entries. :: The last name tag gets replaced by a random line from `/path/to/opendj/config/MakeLDIF/last.names`. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available. :: The List tag gets replaced by one of the values from the list of arguments you provide. For example, `` gets replaced with `bronze`, `silver`, or `gold`. + You can weight arguments to ensure some arguments are selected more often than others. For example, if you want two bronze for one silver and one gold, use ``. :: The ParentDN tag gets replaced by the distinguished name of the parent entry. For example, if the DN of the entry is `uid=bjensen,ou=People,dc=example,dc=com`, `` gets replaced by `ou=People,dc=example,dc=com`. :: The Presence tag takes a percent argument. It does not get replaced by a value itself, but instead results in the attribute being generated on the percentage of entries you specify in the argument. For example, `description: A description` generates `description: A description` on half the entries. :: The Random tag lets you generate a variety of random numbers and strings. The Random tag has the following subtypes, which you include as arguments, that is ``. + * `alpha:length` * `alpha:minlength:maxlength` * `numeric:length` * `numeric:minvalue:maxvalue` * `numeric:minvalue:maxvalue:format`, where __format__ is a link:http://docs.oracle.com/javase/7/docs/api/java/text/DecimalFormat.html[java.text.DecimalFormat, window=\_blank] pattern * `alphanumeric:length` * `alphanumeric:minlength:maxlength` * `chars:characters:length` * `chars:characters:minlength:maxlength` * `hex:length` * `hex:minlength:maxlength` * `base64:length` * `base64:minlength:maxlength` * `month` * `month:maxlength` * `telephone`, a telephone number starting with the country code `+1` :: The RDN tag gets replaced with the RDN of the entry. Use this in the template after you have specified `rdnAttr` so that the RDN has already been generated when this tag is replaced. + An optional integer argument specifies the subcomponents of the RDN to generate. :: The Sequential tag gets replaced by a sequentially increasing generated integer. The first optional integer argument specifies the starting number. The second optional boolean argument specifies whether to start over when generating entries for a new parent entry. For example, `:42:true` starts counting from 42, and starts over when the parent entry changes from `o=Engineering` to `o=Marketing`. <_DN>:: The _DN tag gets replaced by the DN of the current entry with underscores in the place of commas. <_ParentDN>:: The _ParentDN tag gets replaced by the DN the parent entry with underscores in the place of commas. -- [#d1822e9253] ==== Examples The following example generates 10 organization units, each containing 50 entries. [source] ---- define suffix=dc=example,dc=com define maildomain=example.com define numusers=50 define numorgs=10 branch: [suffix] branch: ou=People,[suffix] subordinateTemplate: orgunit:[numorgs] description: This is the People container telephoneNumber: +33 00010002 template: orgunit subordinateTemplate: person:[numusers] rdnAttr: ou ou: Org- objectClass: top objectClass: organizationalUnit description: This is the {ou} organizational unit template: person rdnAttr: uid objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: sn: cn: {givenName} {sn} initials: {givenName:1}{sn:1} employeeNumber: uid: user.{employeeNumber} mail: {uid}@[maildomain] userPassword: password telephoneNumber: homePhone: pager: mobile: street: Street l: st: postalCode: postalAddress: {cn}${street}${l}, {st} {postalCode} description: This is the description for {cn}. ---- [#d1822e9260] ==== See Also xref:#make-ldif-1[make-ldif(1)], the OpenDJ directory server template file `/path/to/opendj/config/MakeLDIF/example.template` ''' [#manage-account-1] === manage-account — manage state of OpenDJ server accounts ==== Synopsis `manage-account` {subcommand} {options} [#manage-account-description] ==== Description This utility can be used to retrieve and manipulate the values of password policy state variables. [#manage-account-options] ==== Options The `manage-account` command takes the following options: -- Command options: `-b | --targetDN {targetDN}`:: The DN of the user entry for which to get and set password policy state information. -- -- LDAP connection options: `-D | --bindDN {bindDN}`:: The DN to use to bind to the server. `-h | --hostname {host}`:: Directory server hostname or IP address. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: The path to the file containing the bind password. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of certificate for SSL client authentication. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: The password to use to bind to the server. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `-v | --verbose`:: Use verbose mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#manage-account-subcommands] ==== Subcommands The `manage-account` command supports the following subcommands: [#manage-account-clear-account-is-disabled] ===== manage-account clear-account-is-disabled Clear account disabled state information from the user account. [#manage-account-get-account-expiration-time] ===== manage-account get-account-expiration-time Display when the user account will expire. [#manage-account-get-account-is-disabled] ===== manage-account get-account-is-disabled Display information about whether the user account has been administratively disabled. [#manage-account-get-all] ===== manage-account get-all Display all password policy state information for the user. [#manage-account-get-authentication-failure-times] ===== manage-account get-authentication-failure-times Display the authentication failure times for the user. [#manage-account-get-grace-login-use-times] ===== manage-account get-grace-login-use-times Display the grace login use times for the user. [#manage-account-get-last-login-time] ===== manage-account get-last-login-time Display the time that the user last authenticated to the server. [#manage-account-get-password-changed-by-required-time] ===== manage-account get-password-changed-by-required-time Display the required password change time with which the user last complied. [#manage-account-get-password-changed-time] ===== manage-account get-password-changed-time Display the time that the user's password was last changed. [#manage-account-get-password-expiration-warned-time] ===== manage-account get-password-expiration-warned-time Display the time that the user first received an expiration warning notice. [#manage-account-get-password-history] ===== manage-account get-password-history Display password history state values for the user. [#manage-account-get-password-is-reset] ===== manage-account get-password-is-reset Display information about whether the user will be required to change his or her password on the next successful authentication. [#manage-account-get-password-policy-dn] ===== manage-account get-password-policy-dn Display the DN of the password policy for the user. [#manage-account-get-remaining-authentication-failure-count] ===== manage-account get-remaining-authentication-failure-count Display the number of remaining authentication failures until the user's account is locked. [#manage-account-get-remaining-grace-login-count] ===== manage-account get-remaining-grace-login-count Display the number of grace logins remaining for the user. [#manage-account-get-seconds-until-account-expiration] ===== manage-account get-seconds-until-account-expiration Display the length of time in seconds until the user account expires. [#manage-account-get-seconds-until-authentication-failure-unlock] ===== manage-account get-seconds-until-authentication-failure-unlock Display the length of time in seconds until the authentication failure lockout expires. [#manage-account-get-seconds-until-idle-lockout] ===== manage-account get-seconds-until-idle-lockout Display the length of time in seconds until user's account is locked because it has remained idle for too long. [#manage-account-get-seconds-until-password-expiration] ===== manage-account get-seconds-until-password-expiration Display length of time in seconds until the user's password expires. [#manage-account-get-seconds-until-password-expiration-warning] ===== manage-account get-seconds-until-password-expiration-warning Display the length of time in seconds until the user should start receiving password expiration warning notices. [#manage-account-get-seconds-until-password-reset-lockout] ===== manage-account get-seconds-until-password-reset-lockout Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset. [#manage-account-get-seconds-until-required-change-time] ===== manage-account get-seconds-until-required-change-time Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time. [#manage-account-set-account-is-disabled] ===== manage-account set-account-is-disabled Specify whether the user account has been administratively disabled. [#manage-account-set-account-is-disabled-options] ====== Options -- The `manage-account set-account-is-disabled` command takes the following options: `-O | --operationValue {true|false}`:: 'true' to indicate that the account is disabled, or 'false' to indicate that it is not disabled. -- [#d1822e9602] ==== Exit Codes -- 0:: The command completed successfully. 89:: An error occurred while parsing the command-line arguments. -- [#d1822e9619] ==== Examples For the following examples the directory admin user, Kirsten Vaughan, has `ds-privilege-name: password-reset` and the following ACI on `ou=People,dc=example,dc=com`. [source] ---- (target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")( version 3.0;acl "Admins can run amok"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";) ---- The following command locks a user account. [source, console] ---- $ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \ -w bribery set-account-is-disabled -O true \ -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: true ---- The following command unlocks a user account. [source, console] ---- $ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \ -w bribery clear-account-is-disabled \ -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: false ---- ''' [#manage-tasks-1] === manage-tasks — manage OpenDJ server administration tasks ==== Synopsis `manage-tasks` [#manage-tasks-description] ==== Description This utility can be used to obtain a list of tasks scheduled to run within the Directory Server as well as information about individual tasks. [#manage-tasks-options] ==== Options The `manage-tasks` command takes the following options: -- Command options: `-c | --cancel {taskID}`:: ID of a particular task to cancel. `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-i | --info {taskID}`:: ID of a particular task about which this tool will display information. `-s | --summary`:: Print a summary of tasks. + Default: false -- -- LDAP connection options: `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e9889] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e9906] ==== Examples The following example demonstrates use of the command with a server that does daily backups at 2:00 AM. [source, console] ---- $ manage-tasks -p 4444 -h opendj.example.com -D "cn=Directory Manager" \ -w password -s ID Type Status --------------------------------------------------------------- example-backup Backup Recurring example-backup-20110622020000000 Backup Waiting on start time ---- ''' [#rebuild-index-1] === rebuild-index — rebuild index after configuration change ==== Synopsis `rebuild-index` [#rebuild-index-description] ==== Description This utility can be used to rebuild index data within an indexed backend database. [#rebuild-index-options] ==== Options The `rebuild-index` command takes the following options: -- Command options: `-b | --baseDN {baseDN}`:: Base DN of a backend supporting indexing. Rebuild is performed on indexes within the scope of the given base DN. `--clearDegradedState`:: Indicates that indexes do not need rebuilding because they are known to be empty and forcefully marks them as valid. This is an advanced option which must only be used in cases where a degraded index is known to be empty and does not therefore need rebuilding. This situation typically arises when an index is created for an attribute which has just been added to the schema. + Default: false `-i | --index {index}`:: Names of index(es) to rebuild. For an attribute index this is simply an attribute name. At least one index must be specified for rebuild. Cannot be used with the "--rebuildAll" option. `--rebuildAll`:: Rebuild all indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildDegraded" option. + Default: false `--rebuildDegraded`:: Rebuild all degraded indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildAll" option. + Default: false `--tmpdirectory {directory}`:: Path to temporary directory for index scratch files during index rebuilding. + Default: import-tmp -- -- Task Backend Connection Options `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Task Scheduling Options `--completionNotify {emailAddress}`:: Email address of a recipient to be notified when the task completes. This option may be specified more than once. `--dependency {taskID}`:: ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution. `--errorNotify {emailAddress}`:: Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once. `--failedDependencyAction {action}`:: Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL. `--recurringTask {schedulePattern}`:: Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern. `-t | --start {startTime}`:: Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. -- -- Utility input/output options: `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e10217] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e10234] ==== Examples The following example schedules a task to start immediately that rebuilds the `cn` (common name) index. [source, console] ---- $ rebuild-index -p 4444 -h opendj.example.com -D "cn=Directory Manager" \ -w password -b dc=example,dc=com -i cn -t 0 Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM ---- ''' [#restore-1] === restore — restore OpenDJ directory data backups ==== Synopsis `restore` [#restore-description] ==== Description This utility can be used to restore a backup of a Directory Server backend. [#restore-options] ==== Options The `restore` command takes the following options: -- Command options: `-d | --backupDirectory {backupDir}`:: Path to the directory containing the backup file(s). `-I | --backupID {backupID}`:: Backup ID of the backup to restore. `-l | --listBackups`:: List available backups in the backup directory. + Default: false `-n | --dry-run`:: Verify the contents of the backup but do not restore it. + Default: false -- -- Task Backend Connection Options `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Task Scheduling Options `--completionNotify {emailAddress}`:: Email address of a recipient to be notified when the task completes. This option may be specified more than once. `--dependency {taskID}`:: ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution. `--errorNotify {emailAddress}`:: Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once. `--failedDependencyAction {action}`:: Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL. `--recurringTask {schedulePattern}`:: Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern. `-t | --start {startTime}`:: Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. -- -- Utility input/output options: `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e10530] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e10547] ==== Examples The following example schedules a restore as a task to begin immediately while OpenDJ directory server is online. [source, console] ---- $ restore -p 4444 -D "cn=Directory Manager" -w password -d /path/to/opendj/bak -I 20110613080032 -t 0 Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST ---- The following example restores data while OpenDJ is offline. [source, console] ---- $ stop-ds Stopping Server... ... $ restore --backupDirectory /path/to/opendj/bak/userRoot \ --listBackups Backup ID: 20120928102414Z Backup Date: 28/Sep/2012:12:24:17 +0200 Is Incremental: false Is Compressed: false Is Encrypted: false Has Unsigned Hash: false Has Signed Hash: false Dependent Upon: none $ restore --backupDirectory /path/to/opendj/bak/userRoot \ --backupID 20120928102414Z [28/Sep/2012:12:26:20 +0200] ... msg=Restored: 00000000.jdb (size 355179) $ start-ds [28/Sep/2012:12:27:29 +0200] ... The Directory Server has started successfully ---- ''' [#setup-1] === setup — install OpenDJ directory server ==== Synopsis `setup` [#setup-description] ==== Description This utility can be used to setup the Directory Server. [#setup-options] ==== Options The `setup` command takes the following options: -- Command options: `-a | --addBaseEntry`:: Indicates whether to create the base entry in the Directory Server database. + Default: false `--acceptLicense`:: Automatically accepts the product license (if present). + Default: false `--adminConnectorPort {port}`:: Port on which the Administration Connector should listen for communication. + Default: 4444 `-b | --baseDN {baseDN}`:: Base DN for user information in the Directory Server. Multiple base DNs may be provided by using this option multiple times. `-d | --sampleData {numEntries}`:: Specifies that the database should be populated with the specified number of sample entries. + Default: 0 `-D | --rootUserDN {rootUserDN}`:: DN for the initial root user for the Directory Server. + Default: cn=Directory Manager `--generateSelfSignedCertificate`:: Generate a self-signed certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. + Default: false `-h | --hostname {host}`:: The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication. + Default: localhost.localdomain `-i | --cli`:: Use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified. + Default: false `-j | --rootUserPasswordFile {rootUserPasswordFile}`:: Path to a file containing the password for the initial root user for the Directory Server. `-l | --ldifFile {ldifFile}`:: Path to an LDIF file containing data that should be added to the Directory Server database. Multiple LDIF files may be provided by using this option multiple times. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-O | --doNotStart`:: Do not start the server when the configuration is completed. + Default: false `-p | --ldapPort {port}`:: Port on which the Directory Server should listen for LDAP communication. + Default: 389 `-q | --enableStartTLS`:: Enable StartTLS to allow secure communication with the server using the LDAP port. + Default: false `-R | --rejectFile {rejectFile}`:: Write rejected entries to the specified file. `-S | --skipPortCheck`:: Skip the check to determine whether the specified ports are usable. + Default: false `--skipFile {skipFile}`:: Write skipped entries to the specified file. `-t | --backendType {backendType}`:: The type of the userRoot backend. + Default: `je` for standard edition, `pdb` for OEM edition. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate. `--useJavaKeystore {keyStorePath}`:: Path of a Java Key Store (JKS) containing a certificate to be used as the server certificate. This does not apply to the administration connector, which uses its own key store and certificate (default: config/admin-keystore and admin-cert). `--useJCEKS {keyStorePath}`:: Path of a JCEKS containing a certificate to be used as the server certificate. `--usePkcs11Keystore`:: Use a certificate in a PKCS#11 token that the server should use when accepting SSL-based connections or performing StartTLS negotiation. + Default: false `--usePkcs12keyStore {keyStorePath}`:: Path of a PKCS#12 key store containing the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-w | --rootUserPassword {rootUserPassword}`:: Password for the initial root user for the Directory Server. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate. `-x | --jmxPort {jmxPort}`:: Port on which the Directory Server should listen for JMX communication. + Default: 1689 `-Z | --ldapsPort {port}`:: Port on which the Directory Server should listen for LDAPS communication. The LDAPS port will be configured and SSL will be enabled only if this argument is explicitly specified. + Default: 636 -- -- Utility input/output options: `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-Q | --quiet`:: Use quiet mode. + Default: false `-v | --verbose`:: Use verbose mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e10929] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e10946] ==== Examples The following command installs OpenDJ directory server, enabling StartTLS and importing 100 example entries without interaction. [source, console] ---- $ /path/to/opendj/setup --cli -b dc=example,dc=com -d 100 \ -D "cn=Directory Manager" -w password -h opendj.example.com -p 1389 \ --generateSelfSignedCertificate --enableStartTLS -n OpenDJ version Please wait while the setup program initializes... See /var/.../opends-setup-484...561.log for a detailed log of this operation. Configuring Directory Server ..... Done. Configuring Certificates ..... Done. Importing Automatically-Generated Data (100 Entries) ......... Done. Starting Directory Server .......... Done. To see basic server configuration status and configuration you can launch /path/to/opendj/bin/status ---- ''' [#start-ds-1] === start-ds — start OpenDJ directory server ==== Synopsis `start-ds` [#start-ds-description] ==== Description This utility can be used to start the Directory Server, as well as to obtain the server version and other forms of general server information. [#start-ds-options] ==== Options The `start-ds` command takes the following options: -- Command options: `-L | --useLastKnownGoodConfig`:: Attempt to start using the configuration that was in place at the last successful startup (if it is available) rather than using the current active configuration. + Default: false `-N | --nodetach`:: Do not detach from the terminal and continue running in the foreground. This option cannot be used with the -t, --timeout option. + Default: false `-s | --systemInfo`:: Display general system information. + Default: false `-t | --timeout {seconds}`:: Maximum time (in seconds) to wait before the command returns (the server continues the startup process, regardless). A value of '0' indicates an infinite timeout, which means that the command returns only when the server startup is completed. The default value is 60 seconds. This option cannot be used with the -N, --nodetach option. + Default: 200 -- -- Utility input/output options: `-Q | --quiet`:: Use quiet mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e11076] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e11093] ==== Examples The following command starts the server without displaying information about the startup process. [source, console] ---- $ start-ds -Q ---- ''' [#status-1] === status — display basic OpenDJ server information ==== Synopsis `status` {options} [#status-description] ==== Description This utility can be used to display basic server information. [#status-options] ==== Options The `status` command takes the following options: -- Command options: `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 -- -- LDAP connection options: `-D | --bindDN {bindDN}`:: DN to use to bind to the server. + Default: cn=Directory Manager `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-r | --refresh {period}`:: When this argument is specified, the status command will display its contents periodically. Used to specify the period (in seconds) between two displays of the status. `-s | --script-friendly`:: Use script-friendly mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e11315] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e11332] ==== Examples [source, console] ---- $ status -D "cn=Directory Manager" -w password --- Server Status --- Server Run Status: Started Open Connections: 1 --- Server Details --- Host Name: localhost.localdomain Administrative Users: cn=Directory Manager Installation Path: /path/to/opendj Version: OpenDJ version Java Version: version Administration Connector: Port 4444 (LDAPS) --- Connection Handlers --- Address:Port : Protocol : State -------------:-------------:--------- -- : LDIF : Disabled 8989 : Replication : Enabled 0.0.0.0:161 : SNMP : Disabled 0.0.0.0:636 : LDAPS : Disabled 0.0.0.0:1389 : LDAP : Enabled 0.0.0.0:1689 : JMX : Disabled --- Data Sources --- Base DN: dc=example,dc=com Backend ID: userRoot Entries: 160 Replication: Enabled Missing Changes: 0 Age of Oldest Missing Change: Base DN: dc=myCompany,dc=com Backend ID: myCompanyRoot Entries: 3 Replication: Disabled Base DN: o=myOrg Backend ID: myOrgRoot Entries: 3 Replication: Disabled ---- ''' [#stop-ds-1] === stop-ds — stop OpenDJ directory server ==== Synopsis `stop-ds` [#stop-ds-description] ==== Description This utility can be used to request that the Directory Server stop running or perform a restart. When run without connection options, this utility sends a signal to the OpenDJ process to stop the server. When run with connection options, this utility connects to the OpenDJ administration port and creates a shutdown task to stop the server. [#stop-ds-options] ==== Options The `stop-ds` command takes the following options: -- Command options: `-r | --stopReason {stopReason}`:: Reason the server is being stopped or restarted. `-R | --restart`:: Attempt to automatically restart the server once it has stopped. + Default: false `-t | --stopTime {stopTime}`:: Indicates the date/time at which the shutdown operation will begin as a server task expressed in format YYYYMMDDhhmmssZ for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the shutdown to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately. `-Y | --proxyAs {authzID}`:: Use the proxied authorization control with the given authorization ID. -- -- LDAP connection options: `-D | --bindDN {bindDN}`:: DN to use to bind to the server. `-h | --hostname {host}`:: Directory server hostname or IP address. + Default: localhost.localdomain `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of certificate for SSL client authentication. `-o | --saslOption {name=value}`:: SASL bind options. `-p | --port {port}`:: Directory server administration port number. + Default: 4444 `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-Q | --quiet`:: Use quiet mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e11579] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e11596] ==== Examples The following example restarts OpenDJ directory server. [source, console] ---- $ stop-ds --restart Stopping Server... ...The Directory Server has started successfully ---- ''' [#uninstall-1] === uninstall — remove OpenDJ directory server software ==== Synopsis `uninstall` {options} [#uninstall-description] ==== Description This utility can be used to uninstall the Directory Server. [#uninstall-options] ==== Options The `uninstall` command takes the following options: -- Command options: `-a | --remove-all`:: Remove all components of the server (this option is not compatible with the rest of remove options). + Default: false `-b | --backup-files`:: Remove backup files. + Default: false `-c | --configuration-files`:: Remove configuration files. + Default: false `--connectTimeout {timeout}`:: Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. + Default: 30000 `-d | --databases`:: Remove database contents. + Default: false `-e | --ldif-files`:: Remove LDIF files. + Default: false `-f | --forceOnError`:: Specifies whether the uninstall should continue if there is an error updating references to this server in remote server instances or not. This option can only be used with the --no-prompt no prompt option. + Default: false `-i | --cli`:: Use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified. + Default: false `-l | --server-libraries`:: Remove Server Libraries and Administrative Tools. + Default: false `-L | --log-files`:: Remove log files. + Default: false -- -- LDAP connection options: `-h | --referencedHostName {host}`:: The name of this host (or IP address) as it is referenced in remote servers for replication. + Default: localhost.localdomain `-I | --adminUID {adminUID}`:: User ID of the Global Administrator to use to bind to the server. + Default: admin `-j | --bindPasswordFile {bindPasswordFile}`:: Bind password file. `-K | --keyStorePath {keyStorePath}`:: Certificate key store path. `-N | --certNickname {nickname}`:: Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation. `-o | --saslOption {name=value}`:: SASL bind options. `-P | --trustStorePath {trustStorePath}`:: Certificate trust store path. `-T | --trustStorePassword {trustStorePassword}`:: Certificate trust store PIN. `-u | --keyStorePasswordFile {keyStorePasswordFile}`:: Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate. `-U | --trustStorePasswordFile {path}`:: Certificate trust store PIN file. `-w | --bindPassword {bindPassword}`:: Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument. `-W | --keyStorePassword {keyStorePassword}`:: Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate. `-X | --trustAll`:: Trust all server SSL certificates. + Default: false -- -- Utility input/output options: `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `--noPropertiesFile`:: No properties file will be used to get default command line argument values. + Default: false `--propertiesFilePath {propertiesFilePath}`:: Path to the file containing default property values used for command line arguments. `-Q | --quiet`:: Use quiet mode. + Default: false `-v | --verbose`:: Use verbose mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e11913] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e11930] ==== Examples The following command removes OpenDJ directory server without interaction. [source, console] ---- $ /path/to/opendj/uninstall -a --cli -I admin -w password -n Stopping Directory Server ..... Done. Deleting Files under the Installation Path ..... Done. The Uninstall Completed Successfully. To complete the uninstallation, you must delete manually the following files and directories: /path/to/opendj/lib See /var/.../opends-uninstall-3...0.log for a detailed log of this operation. $ rm -rf /path/to/opendj ---- ''' [#upgrade-1] === upgrade — upgrade OpenDJ configuration and application data ==== Synopsis `upgrade` {options} [#upgrade-description] ==== Description Upgrades OpenDJ configuration and application data so that it is compatible with the installed binaries. This tool should be run immediately after upgrading the OpenDJ binaries and before restarting the server. NOTE: this tool does not provide backup or restore capabilities. Therefore, it is the responsibility of the OpenDJ administrator to take necessary precautions before performing the upgrade. This utility thus performs only part of the upgrade process, which includes the following phases for a single server. . Get and unpack a newer version of OpenDJ directory server software. . Stop the current OpenDJ directory server. . Overwrite existing binary and script files with those of the newer version, and then run this utility before restarting OpenDJ. . Start the upgraded OpenDJ directory server. [IMPORTANT] ==== This utility __does not back up OpenDJ before you upgrade, nor does it restore OpenDJ if the utility fails__. In order to revert a failed upgrade, make sure you back up OpenDJ directory server before you overwrite existing binary and script files. ==== By default this utility requests confirmation before making important configuration changes. You can use the `--no-prompt` option to run the command non-interactively. When using the `--no-prompt` option, if this utility cannot complete because it requires confirmation for a potentially very long or critical task, then it exits with an error and a message about how to finish making the changes. You can add the `--force` option to force a non-interactive upgrade to continue in this case, also performing long running and critical tasks. After upgrading, see the resulting `upgrade.log` file for a full list of operations performed. [#upgrade-options] ==== Options The `upgrade` command takes the following options: -- Command options: `--acceptLicense`:: Automatically accepts the product license (if present). + Default: false `--force`:: Forces a non-interactive upgrade to continue even if it requires user interaction. In particular, long running or critical upgrade tasks, such as re-indexing, which require user confirmation will be skipped. This option may only be used with the 'no-prompt' option. + Default: false `--ignoreErrors`:: Ignores any errors which occur during the upgrade. This option should be used with caution and may be useful in automated deployments where potential errors are known in advance and resolved after the upgrade has completed. + Default: false -- -- Utility input/output options: `-n | --no-prompt`:: Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. + Default: false `-Q | --quiet`:: Use quiet mode. + Default: false `-v | --verbose`:: Use verbose mode. + Default: false -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e12119] ==== Exit Codes -- 0:: The command completed successfully. 2:: The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task. + See the error message or the log for details. other:: An error occurred. -- See the __OpenDJ Installation Guide__ for an example upgrade process for OpenDJ directory server installed from the cross-platform (.zip) delivery. Native packages (.deb, .rpm) perform more of the upgrade process, stopping OpenDJ if it is running, overwriting older files with newer files, running this utility, and starting OpenDJ if it was running when you upgraded the package(s). ''' [#verify-index-1] === verify-index — check index for consistency or errors ==== Synopsis `verify-index` [#verify-index-description] ==== Description This utility can be used to ensure that index data is consistent within an indexed backend database. [#verify-index-options] ==== Options The `verify-index` command takes the following options: -- Command options: `-b | --baseDN {baseDN}`:: Base DN of a backend supporting indexing. Verification is performed on indexes within the scope of the given base DN. `-c | --clean`:: Specifies that a single index should be verified to ensure it is clean. An index is clean if each index value references only entries containing that value. Only one index at a time may be verified in this way. + Default: false `--countErrors`:: Count the number of errors found during the verification and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions). + Default: false `-i | --index {index}`:: Name of an index to be verified. For an attribute index this is simply an attribute name. Multiple indexes may be verified for completeness, or all indexes if no indexes are specified. An index is complete if each index value references all entries containing that value. -- -- General options: `-V | --version`:: Display Directory Server version information. + Default: false -- -- `-H | --help`:: Display this usage information. + Default: false -- [#d1822e12247] ==== Exit Codes -- 0:: The command completed successfully. 1:: The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task. + See the error message or the log for details. 0-255:: The number of errors in the index, as indicated for the `--countErrors` option. -- [#d1822e12275] ==== Examples The following example shows how to verify the `sn` (surname) index for completeness and for errors. The messages shown are for a backend of type `pdb`. The output is similar for other backend types: [source, console] ---- $ verify-index -b dc=example,dc=com -i sn --clean --countErrors [20/05/2015:14:24:18 +0200] category=...PDBStorage seq=0 severity=INFO msg=The PDB storage for backend 'userRoot' initialized to use 57528 buffers of 16384 bytes (total 920448kb) [20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=1 severity=INFO msg=Checked 478 records and found 0 error(s) in 0 seconds (average rate 3594.0/sec) [20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=2 severity=FINE msg=Number of records referencing more than one entry: 224 [20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=3 severity=FINE msg=Number of records that exceed the entry limit: 0 [20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=4 severity=FINE msg=Average number of entries referenced is 2.00/record [20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=5 severity=FINE msg=Maximum number of entries referenced by any record is 32 ---- ''' [#windows-service] === windows-service — register OpenDJ as a Windows Service ==== Synopsis `windows-service` {options} [#d1822e12323] ==== Description This utility can be used to run OpenDJ directory server as a Windows Service. [#d1822e12328] ==== Service Options -- `-c, --cleanupService serviceName`:: Disable the service and clean up the windows registry information associated with the provided service name `-d, --disableService`:: Disable the server as a Windows service and stop the server `-e, --enableService`:: Enable the server as a Windows service `-s, --serviceState`:: Provide information about the state of the server as a Windows service -- [#d1822e12362] ==== General Options -- `-V, --version`:: Display version information `-?, -H, --help`:: Display usage information -- [#d1822e12380] ==== Exit Codes -- 0:: The command completed successfully. > 0:: An error occurred. -- [#d1822e12396] ==== Example The following command registers OpenDJ directory server as a Windows Service. [source, console] ---- C:\path\to\opendj\bat> windows-service.bat --enableService ---- After running this command, you can manage the service using Windows administration tools.