dsconfig1 dsconfig manage OpenDJ directory server configuration dsconfig [subcommand] options This utility serves to configure a running directory server. The dsconfig command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, dsconfig prompts you for administration connection information, including the host name, administration port number, administrator bind DN and administrator password. The dsconfig command then connects securely to the directory server over the administration port. Once connected it presents you with a menu-driven interface to the server configuration. When you pass connection information, subcommands, and additional options to dsconfig, the command runs in script mode and so is not interactive, though it can prompt you to ask whether to apply changes and whether to trust certificates (unless you use the --no-prompt and --trustAll options, respectively). You can prepare dsconfig batch scripts by running the tool with the --commandFilePath option in interactive mode, then reading from the batch file with the --batchFile option in script mode. Batch files can be useful when you have many dsconfig commands to run and want to avoid starting the JVM and setting up a new connection for each command. The dsconfig command categorizes directory server configuration into components, also called managed objects. Actual components often inherit from a parent component type. For example, one component is a Connection Handler. An LDAP Connection Handler is a type of Connection Handler. You configure the LDAP Connection Handler component to specify how OpenDJ directory server handles LDAP connections coming from client applications. Configuration components have properties. For example, the LDAP Connection Handler component has properties such as listen-port and allow-start-tls. You can set the component's listen-port property to 389 to use the default LDAP port number. You can set the component's allow-start-tls property to true to permit LDAP client applications to use StartTLS. Much of the configuration you do with dsconfig involves setting component properties. The OpenDJ Configuration Reference covers all dsconfig component properties in detail, drawing on the documentation you also view when getting help through the dsconfig command. The dsconfig command provides many subcommands. Use the following options to view help for subcommands. See dsconfig Subcommands for details of individual subcommands. dsconfig --help-all Display all subcommands dsconfig --help-core-server Display subcommands relating to core server dsconfig --help-database Display subcommands relating to caching and back-ends dsconfig --help-logging Display subcommands relating to logging dsconfig --help-replication Display subcommands relating to replication dsconfig --help-security Display subcommands relating to authentication and authorization dsconfig --help-user-management Display subcommands relating to user management For help with individual subcommands, either use dsconfig subcommand --help, or start dsconfig in interactive mode, without specifying a subcommand. To view component properties, use the dsconfig list-properties command. The following options are supported for all dsconfig subcommands. --advanced Allows the configuration of advanced components and properties --connectTimeout {timeout} Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. Default value: 30000 -h, --hostname {host} Directory server hostname or IP address Default value: localhost.localdomain -I, --adminUID {adminUID} User ID of the global administrator to use to bind to the server. For the enable subcommand, if no global administrator was defined previously for any servers, the global administrator will be created using the UID provided. Default value: admin -j, --adminPasswordFile {bindPasswordFile} Global administrator password file -K, --keyStorePath {keyStorePath} Certificate key store path -N, --certNickname {nickname} Nickname of certificate for SSL client authentication -o, --saslOption {name=value} SASL bind options -p, --port {port} Directory server administration port number Default value: 4444 -P, --trustStorePath {trustStorePath} Certificate trust store path Default value: /path/to/OpenDJ/config/admin-truststore -T, --trustStorePassword {trustStorePassword} Certificate trust store PIN -u, --keyStorePasswordFile {keyStorePasswordFile} Certificate key store PIN file -U, --trustStorePasswordFile {path} Certificate trust store PIN file -w, --adminPassword {bindPassword} Password for the global administrator -W, --keyStorePassword {keyStorePassword} Certificate key store PIN -X, --trustAll Trust all server SSL certificates --commandFilePath {path} The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode. --displayCommand Display the equivalent non-interactive option on standard output when this command is run in interactive mode. -F, --batchFilePath {batchFilePath} Path to a batch file containing a set of dsconfig commands to be executed -n, --no-prompt Use non-interactive mode. If data in the command is missing, the user is not prompted and the command exits with an error. --noPropertiesFile No properties file will be used to get default command line argument values --propertiesFilePath {propertiesFilePath} Path to the file containing default property values used for command line arguments -Q, --quiet Do not write progress information to standard output -s, --script-friendly Use script-friendly mode -v, --verbose Use verbose mode --version Display version information -?, -H, --help Display usage information This section covers individual dsconfig subcommands. Subcommands let you create, list, and delete entire configuration components, and also let you get and set component properties. Subcommands therefore have names that reflect these five actions. create-component list-components delete-component get-component-prop set-component-prop 0 The command completed successfully. > 0 An error occurred. Much of the OpenDJ Administration Guide consists of dsconfig examples with text in between. This section therefore remains short. The following example starts dsconfig in interactive, menu-driven mode on the default port of the current host. $ dsconfig -h `hostname` -p 4444 -D "cn=Directory Manager" -w password >>>> OpenDJ configuration console main menu What do you want to configure? 1) Access Control Handler 23) Log Rotation Policy 2) Account Status Notification Handler 24) Matching Rule 3) Administration Connector 25) Monitor Provider 4) Alert Handler 26) Network Group 5) Attribute Syntax 27) Network Group QOS Policy 6) Backend 28) Password Generator 7) Certificate Mapper 29) Password Policy 8) Connection Handler 30) Password Storage Scheme 9) Crypto Manager 31) Password Validator 10) Debug Target 32) Plugin 11) Entry Cache 33) Plugin Root 12) Extended Operation Handler 34) Replication Domain 13) Extension 35) Replication Server 14) External Changelog Domain 36) Root DN 15) Global Configuration 37) Root DSE Backend 16) Group Implementation 38) SASL Mechanism Handler 17) Identity Mapper 39) Synchronization Provider 18) Key Manager Provider 40) Trust Manager Provider 19) Local DB Index 41) Virtual Attribute 20) Local DB VLV Index 42) Work Queue 21) Log Publisher 43) Workflow 22) Log Retention Policy 44) Workflow Element q) quit Enter choice: The following examples demonstrates generating a batch file that corresponds to an interactive session enabling the debug log. The example then demonstates using a modified batch file to disable the debug log. $ dsconfig --hostname `hostname` --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --commandFilePath ~/enable-debug-log.batch ... $ cat ~/enable-debug-log.batch # dsconfig session start date: 19/Oct/2011:08:52:22 +0000 # Session operation number: 1 # Operation date: 19/Oct/2011:08:55:06 +0000 dsconfig set-log-publisher-prop \ --publisher-name File-Based\ Debug\ Logger \ --set enabled:true \ --hostname opendj.example.com \ --port 4444 \ --trustStorePath /path/to/OpenDJ/config/admin-truststore \ --bindDN cn=Directory\ Manager \ --bindPassword ****** \ --no-prompt $ cp ~/enable-debug-log.batch ~/disable-debug-log.batch $ vi ~/disable-debug-log.batch $ cat ~/disable-debug-log.batch set-log-publisher-prop \ --publisher-name File-Based\ Debug\ Logger \ --set enabled:false \ --hostname opendj.example.com \ --port 4444 \ --trustStorePath /path/to/OpenDJ/config/admin-truststore \ --bindDN cn=Directory\ Manager \ --bindPassword password \ --no-prompt $ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt set-log-publisher-prop --publisher-name File-Based Debug Logger --set enabled:false --hostname opendj.example.com --port 4444 --trustStorePath /path/to/OpenDJ/config/admin-truststore --bindDN cn=Directory Manager --bindPassword password --no-prompt $ Notice that the original command file looks like a shell script with the bind password value replaced by asterisks. To pass the content as a batch file to dsconfig, strip dsconfig itself, and include the bind password for the administrative user (or replace that option with an alternative, such as reading the password from a file).