Nsslapd-errorlog-mode (error log file permission), Nsslapd-groupevalnestlevel, Nsslapd-idletimeout (default idle timeout) – Red Hat 8.1 User Manual
Page 34: Note
2.3.1.58. nsslapd-errorlog-mode (Error Log File Permission)
This attribute sets the access mode or file permissions with which error log files are to be created. The
valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file
permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0
through 7:
0 - None
1 - Execute only
2 - Write only
3 - Write and execute
4 - Read only
5 - Read and execute
6 - Read and write
7 - Read, write, and execute
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the
group's permissions, and the third digit represents everyone's permissions. When changing the default
value, remember that 000 does not allow access to the logs and that allowing write permissions to
everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log
rotates to a new file.
Parameter
Description
Entry DN
cn=config
Valid Range
000 through 777
Default Value
600
Syntax
Integer
Example
nsslapd-errorlog-mode: 600
2.3.1.59. nsslapd-groupevalnestlevel
This attribute is deprecated, and documented here only for historical purposes.
The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel
attribute to set the number of levels of nesting that access control performs for group evaluation.
Instead, the number of levels of nesting is hard-coded as 5.
Parameter
Description
Entry DN
cn=config
Valid Range
0 to 5
Default Value
5
Syntax
Integer
Example
nsslapd-groupevalnestlevel: 5
2.3.1.60. nsslapd-idletimeout (Default Idle Timeout)
This attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by
the server. A value of 0 means that the server never closes idle connections. This setting applies to all
connections and all users. Idle timeout is enforced when the connection table is walked, when poll()
does not return zero. Therefore, a server with a single connection never enforces the idle timeout.
Use the nsIdleTimeout operational attribute, which can be added to user entries, to override the value
assigned to this attribute. For details, see the "Setting Resource Limits Based on the Bind DN" section in
the Directory Server Administrator's Guide.
NOTE
For very large databases, with millions of entries, this attribute must have a high enough value
that the online initialization process can complete or replication will fail when the connection to the
server times out. Alternatively, the nsIdleTimeout attribute can be set to a high value on the
entry used as the supplier bind DN.
Parameter
Description
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value
(2147483647)
34
Chapter 2. Core Server Configuration Reference