Global Configuration Global Configurations The global configuration contains properties that affect the overall operation of the . ds-cfg-root-config top Indicates whether schema enforcement is active. When schema enforcement is activate the Directory Server will ensure that all operations result in entries that are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server. true ds-cfg-check-schema Specifies the name of the password policy that will be in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). ds-cfg-default-password-policy Indicates whether the Directory Server should automatically add any attribute values contained in the entry's RDN into that entry when processing an add request. true ds-cfg-add-missing-rdn-attributes Indicates whether the Directory Server should allow the use of underscores in attribute names, and should allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards). false ds-cfg-allow-attribute-name-exceptions Specifies how the Directory Server should handle operations which would result in an attribute value that violates the associated attribute syntax. reject The Directory Server will silently accept attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected. The Directory Server will reject attribute values that are invalid according to their associated syntax. The Directory Server will accept attribute values that are invalid according to their associated syntax, but will also log a warning message to the error log. Matching operations targeting those values may not behave as expected. ds-cfg-invalid-attribute-syntax-behavior Specifies the numeric value of the result code that should be used for cases in which request processing fails due to an internal server error. 80 ds-cfg-server-error-result-code Specifies how the Directory Server should handle operations which would result in an entry without any structural object class, or that would result in an entry containing multiple structural classes. reject The Directory Server will silently accept entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected. The Directory Server will reject entries that do not contain exactly one structural object class. The Directory Server will accept entries that do not contain exactly one structural object class, but will also log a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected. ds-cfg-single-structural-objectclass-behavior Indicates whether the Directory Server should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request. false ds-cfg-notify-abandoned-operations Specifies the maximum number of entries that the Directory Server should return to the client in the course of processing a search operation. A value of 0 indicates that no size limit will be enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute. 1000 ds-cfg-size-limit Specifies the maximum length of time that the Directory Server should spend processing a search operation. A value of 0 seconds indicates that no time limit will be enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute. 60 seconds ds-cfg-time-limit Specifies the name of the identity mapper that will be used to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry. ds-cfg-proxied-authorization-identity-mapper Specifies which kinds of write operations the Directory Server should attempt to process. enabled The Directory Server will attempt to process all write operations that are requested of it, regardless of their origin. The Directory Server will reject all write operations that are requested of it, regardless of their origin. The Directory Server will attempt to process write operations requested as internal operations or through synchronization, but will reject any such operations requested from external clients. ds-cfg-writability-mode Indicates whether the Directory Server should reject any request (other than bind or StartTLS requests) received from a client that has not yet authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication. false ds-cfg-reject-unauthenticated-requests Indicates whether the Directory Server should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password. true ds-cfg-bind-with-dn-requires-password Specifies the maximum number of entries that the Directory Server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit will be enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute. 5000 ds-cfg-lookthrough-limit Specifies the address (and optional port number) for a mail server that can be used to send e-mail messages via SMTP. It may be an IP address or resolvable hostname, optionally followed by a colon and a port number. If no values are defined, then it will not be possible to take advantage of server features that may provide the ability to send e-mail via SMTP. ^.+(:[0-9]+)?$ HOST[:PORT] A hostname, optionally followed by a ":" followed by a port number. ds-cfg-smtp-server Specifies the fully-qualified name of a Java class that may be invoked in the server. Any attempt to invoke a task not included in the list of allowed tasks will be rejected. If no values are defined, then the server will not allow any tasks to be invoked. ds-cfg-allowed-task Specifies the name of a privilege that should not be evaluated by the server. If a privilege is disabled, then it will be assumed that all clients (including unauthenticated clients) will have that privilege. If no values are defined, then the server will enforce all privileges. Allows the associated user to bypass access control checks performed by the server. Allows the associated user to modify the server's access control configuration. Allows the associated user to read the server configuration. Allows the associated user to update the server configuration. The config-read privilege is also required. Allows the associated user to perform JMX read operations. Allows the associated user to perform JMX write operations. Allows the associated user to subscribe to receive JMX notifications. Allows the user to request that the server process LDIF import tasks. Allows the user to request that the server process LDIF export tasks. Allows the user to request that the server process backup tasks. Allows the user to request that the server process restore tasks. Allows the user to request that the server shut down. Allows the user to request that the server perform an in-core restart. Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. Allows the user to terminate other client connections. Allows the user to cancel operations in progress on other client connections. Allows the user to reset user passwords. Allows the user to participate in data synchronization. Allows the user to make changes to the server schema. Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. Allows the user to request that the server process a search that cannot be optimized using server indexes. ds-cfg-disabled-privilege Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages will appear only in the server's access log. false ds-cfg-return-bind-error-messages Specifies the maximum length of time that a client connection may remain established since its last completed operation. A value of "0 seconds" indicates that no idle time limit will be enforced. 0 seconds ds-cfg-idle-time-limit Indicates whether the Directory Server should save a copy of its configuration whenever the startup process completes successfully. This can ensure that the server provides a "last known good" configuration, which can be used as a reference (or copied into the active config) if the server fails to start with the current "active" configuration. true ds-cfg-save-config-on-successful-startup Specifies the workflow configuration mode (auto vs. manual). auto In the "auto" configuration mode there is no workflow configuration. The workflows are created automatically based on the backend configuration. There will be one workflow per backend base DN. In the "manual" configuration mode each workflow is created according to its description in the configuration. ds-cfg-workflow-configuration-mode