The global configuration contains properties that affect the overall operation of the . 1.3.6.1.4.1.26027.1.2.13 ds-cfg-root-config top Indicates whether schema enforcement is active. This property indicates whether the should ensure that all operations result in entries that are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server. 1.3.6.1.4.1.26027.1.1.24 ds-cfg-check-schema Specifies the DN of the configuration entry for the password policy that will be in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). cn=Password Policies,cn=config 1.3.6.1.4.1.26027.1.1.202 ds-cfg-default-password-policy Indicates whether the Directory Server should automatically add any attribute values contained in the entry's RDN into that entry when processing an add request. true 1.3.6.1.4.1.26027.1.1.142 ds-cfg-add-missing-rdn-attributes Indicates whether the Directory Server should allow the use of underscores in attribute names, and should allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards). false 1.3.6.1.4.1.26027.1.1.5 ds-cfg-allow-attribute-name-exceptions Specifies how the Directory Server should handle operations which would result in an attribute value that violates the associated attribute syntax. reject The Directory Server will silently accept attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected. The Directory Server will reject attribute values that are invalid according to their associated syntax. The Directory Server will accept attribute values that are invalid according to their associated syntax, but will also log a warning message to the error log. Matching operations targeting those values may not behave as expected. 1.3.6.1.4.1.26027.1.1.44 ds-cfg-invalid-attribute-syntax-behavior Specifies the numeric value of the result code that should be used for cases in which request processing fails due to an internal server error. 80 1.3.6.1.4.1.26027.1.1.143 ds-cfg-server-error-result-code Specifies how the Directory Server should handle operations which would result in an entry without any structural object class, or that would result in an entry containing multiple structural classes. reject The Directory Server will silently accept entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected. The Directory Server will reject entries that do not contain exactly one structural object class. The Directory Server will accept entries that do not contain exactly one structural object class, but will also log a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected. 1.3.6.1.4.1.26027.1.1.117 ds-cfg-single-structural-objectclass-behavior Indicates whether the Directory Server should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request. false 1.3.6.1.4.1.26027.1.1.71 ds-cfg-notify-abandoned-operations Specifies the maximum number of entries that the Directory Server should return to the client in the course of processing a search operation. A value of 0 indicates that no size limit will be enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute. 1000 1.3.6.1.4.1.26027.1.1.118 ds-cfg-size-limit Specifies the maximum length of time that the Directory Server should spend procesing a search operation. A value of 0 seconds indicates that no time limit will be enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute. 60 seconds 1.3.6.1.4.1.26027.1.1.150 ds-cfg-time-limit Specifies the DN of the configuration entry for the identity mapper that will be used to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry. cn=Identity Mappers,cn=config 1.3.6.1.4.1.26027.1.1.149 ds-cfg-proxied-authorization-identity-mapper-dn Specifies which kinds of write operations the Directory Server should attempt to process. enabled The Directory Server will attempt to process all write operations that are requested of it, regardless of their origin. The Directory Server will reject all write operations that are requested of it, regardless of their origin. The Directory Server will attempt to process write operations requested as internal operations or through synchronization, but will reject any such operations requested from external clients. 1.3.6.1.4.1.26027.1.1.161 ds-cfg-writability-mode Indicates whether the Directory Server should reject any request (other than bind or StartTLS requests) received from a client that has not yet authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication. false 1.3.6.1.4.1.26027.1.1.301 ds-cfg-reject-unauthenticated-requests Indicates whether the Directory Server should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password. true 1.3.6.1.4.1.26027.1.1.163 ds-cfg-bind-with-dn-requires-password Specifies the maximum number of entries that the Directory Server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit will be enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute. 5000 1.3.6.1.4.1.26027.1.1.285 ds-cfg-lookthrough-limit