Modifying configuration entries using ldap, Note, Configuration changes requiring server restart – Red Hat 8.1 User Manual
Page 16
2.2.2.1. Modifying Configuration Entries Using LDAP
The configuration entries in the directory can be searched and modified using LDAP either via the
Directory Server Console or by performing ldapsearch and ldapmodify operations in the same way
as other directory entries. The advantage of using LDAP to modify entries is changes can be made while
the server is running.
For further information, see the "Creating Directory Entries" chapter in the Directory Server
Administrator's Guide. However, certain changes do require the server to be restarted before they are
taken into account. See
Section 2.2.2.3, “Configuration Changes Requiring Server Restart”
for further
information.
NOTE
As with any set of configuration files, care should be taken when changing or deleting nodes in
the cn=config subtree as this risks affecting Directory Server functionality.
The entire configuration, including attributes that always take default values, can be viewed by
performing an ldapsearch operation on the cn=config subtree:
ldapsearch -b cn=config -D bindDN -w password
bindDN is the DN chosen for the Directory Manager when the server was installed (cn=Directory
Manager by default).
password is the password chosen for the Directory Manager.
For more information on using ldapsearch, see
.
To disable a plug-in, use ldapmodify to edit the nsslapd-pluginEnabled attribute:
ldapmodify -D cn="directory manager" -w password
dn: cn=Telephone Syntax,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off
2.2.2.2. Restrictions to Modifying Configuration Entries and Attributes
Certain restrictions apply when modifying server entries and attributes:
The cn=monitor entry and its child entries are read-only and cannot be modified, except to
manage ACIs.
If an attribute is added to cn=config, the server ignores it.
If an invalid value is entered for an attribute, the server ignores it.
Because ldapdelete is used for deleting an entire entry, use ldapmodify to remove an attribute
from an entry.
2.2.2.3. Configuration Changes Requiring Server Restart
Some configuration attributes cannot be altered while the server is running. In these cases, for the
changes to take effect, the server needs to be shut down and restarted. The modifications should be
made either through the Directory Server Console or by manually editing the dse.ldif file. Some of the
attributes that require a server restart for any changes to take effect are listed below. This list is not
exhaustive; to see a complete list, run ldapsearch and search for the nsslapd-requiresrestart
attribute. For example:
ldapsearch -p 389 -D "cn=directory manager" -w password -s sub -b "cn=config"
"(objectclass=*)" | grep nsslapd-requiresrestart
nsslapd-cachesize
nsslapd-certdir
nsslapd-dbcachesize
nsslapd-dbncache
nsslapd-plugin
nsslapd-changelogdir
nsslapd-changelogmaxage
nsslapd-changelogmaxentries
nsslapd-port
nsslapd-schemadir
nsslapd-saslpath
nsslapd-secureport
nsslapd-tmpdir
nsSSL2
nsSSL3
nsSSLclientauth
nsSSLSessionTimeout
nsslapd-conntablesize
nsslapd-lockdir
nsslapd-maxdescriptors
nsslapd-reservedescriptors
nsslapd-listenhost
16
Chapter 2. Core Server Configuration Reference