16.1. Server Plug-in Functionality Reference

16.1. Server Plug-in Functionality Reference

The following tables provide a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading. These tables assist in weighing plug-in performance gains and costs and choose the optimal settings for the deployment. The Further Information section cross-references further reading, where this is available.

16.1.1. 7-Bit Check Plug-in

Plug-in Information Description
Plug-in Name 7-bit check (NS7bitAtt)
Configuration Entry DN cn=7-bit check,cn=plugins,cn=config
Description Checks certain attributes are 7-bit clean
Configurable Options on | off
Default Setting on
Configurable Arguments List of attributes (uid mail userpassword) followed by "," and then any suffixes for which the check is to occur.
Dependencies None
Performance Related Information None
Further Information If the Directory Server uses non-ASCII characters, such as Japanese characters, turn this plug-in off.
Table 16.1. Details of 7-Bit Check Plug-in

16.1.2. ACL Plug-in

Plug-in Information Description
Plug-in Name ACL Plug-in
Configuration Entry DN cn=ACL Plugin,cn=plugins,cn=config
Description ACL access check plug-in
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.
Further Information See Chapter 6, Managing Access Control.
Table 16.2.  Details of ACI Plug-in

16.1.3. ACL Preoperation Plug-in

Plug-in Information Description
Plug-in Name ACL Preoperation
Configuration Entry DN cn=ACL preoperation,cn=plugins,cn=config
Description ACL access check plug-in
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies database
Performance Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.
Further Information See Chapter 6, Managing Access Control.
Table 16.3. Details of the ACL Preoperation Plug-in

16.1.4. Binary Syntax Plug-in

Plug-in Information Description
Plug-in Name Binary Syntax
Configuration Entry DN cn=Binary Syntax,cn=plugins,cn=config
Description Syntax for handling binary data
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.4. Details of Binary Syntax Plug-in

16.1.5. Boolean Syntax Plug-in

Plug-in Information Description
Plug-in Name Boolean Syntax
Configuration Entry DN cn=Boolean Syntax,cn=plugins,cn=config
Description Syntax for handling booleans
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.5. Details of Boolean Syntax Plug-in

16.1.6. Case Exact String Syntax Plug-in

Plug-in Information Description
Plug-in Name Case Exact String Syntax
Configuration Entry DN cn=Case Exact String Syntax,cn=plugins,cn=config
Description Syntax for handling case-sensitive strings
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.6. Details of Case Exact String Syntax Plug-in

16.1.7. Case Ignore String Syntax Plug-in

Plug-in Information Description
Plug-in Name Case Ignore String Syntax
Configuration Entry DN cn=Case Ignore String Syntax,cn=plugins,cn=config
Description Syntax for handling case-insensitive strings
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.7. Details of Case Ignore String Syntax Plug-in

16.1.8. Chaining Database Plug-in

Plug-in Information Description
Plug-in Name Chaining Database
Configuration Entry DN cn=Chaining database,cn=plugins,cn=config
Description Syntax for handling DNs
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information There are many performance related tuning parameters involved with the chaining database. See Section 3.3, “Creating and Maintaining Database Links”.
Further Information A chaining database is also known as a database link. Database links are described in Section 3.3, “Creating and Maintaining Database Links”.
Table 16.8. Details of Cloning Database Plug-in

16.1.9. Class of Service Plug-in

Plug-in Information Description
Plug-in Name Class of Service
Configuration Entry DN cn=Class of Service,cn=plugins,cn=config
Description Allows for sharing of attributes between entries
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See Section 5.2, “Assigning Class of Service”.
Table 16.9. Details of Class of Service Plug-in

16.1.10. Country String Syntax Plug-in

Plug-in Information Description
Plug-in Name Country String Syntax Plug-in
Configuration Entry DN cn=Country String Syntax,cn=plugins,cn=config
Description Syntax for handling countries
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.10. Details of Country String Plug-in

16.1.11. Distinguished Name Syntax Plug-in

Plug-in Information Description
Plug-in Name Distinguished Name Syntax
Configuration Entry DN cn=Distinguished Name Syntax,cn=plugins,cn=config
Description Syntax for handling DNs
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.11. Details of Distinguished Name Syntax Plug-in

16.1.12. Generalized Time Syntax Plug-in

Plug-in Information Description
Plug-in Name Generalized Time Syntax
Configuration Entry DN cn=Generalized Time Syntax,cn=plugins,cn=config
Description Syntax for dealing with dates, times and time zones
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information The Generalized Time String consists of the following:
four digit year
two digit month (for example, 01 for January)
two digit day, two digit hour
two digit minute
two digit second
decimal part of a second (optional)
a time zone indication
Red Hat strongly recommends using the Z time zone indication, which stands for Greenwich Mean Time.
Table 16.12. Details of Generalized Time Syntax Plug-in

16.1.13. Integer Syntax Plug-in

Plug-in Information Description
Plug-in Name Integer Syntax
Configuration Entry DN cn=Integer Syntax,cn=plugins,cn=config
Description Syntax for handling integers
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.13. Details of Integer Syntax Plug-in

16.1.14. Internationalization Plug-in

Plug-in Information Description
Plug-in Name Internationalization Plug-in
Configuration Entry DN cn=Internationalization Plugin,cn=plugins,cn=config
Description Syntax for handling international characters (in DNs)
Configurable Options on | off
Default Setting on
Configurable Arguments The Internationalization Plug-in has one argument which must not be modified, which specifies the location of the /etc/dirsrv/config/slapd-collations.conf file. This file stores the collation orders and locales used by the Internationalization Plug-in.
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See Section B.4, “Searching an Internationalized Directory” and Appendix D, Internationalization.
Table 16.14. Details of Internationalization Plug-in

16.1.15. ldbm Database Plug-in

Plug-in Information Description
Plug-in Name ldbm database Plug-in
Configuration Entry DN cn=ldbm database plug-in,cn=plugins,cn=config
Description Implements local databases
Configurable Options N/A
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information See the Directory Server Configuration, Command, and File Reference for further information on ldbm database plug-in attributes.
Further Information See Chapter 3, Configuring Directory Databases.
Table 16.15. Details of ldbm Database Plug-in

16.1.16. Legacy Replication Plug-in

Plug-in Information Description
Plug-in Name Legacy Replication Plug-in
Configuration Entry DN cn=Legacy Replication plug-in,cn=plugins,cn=config
Description Enables this version of Directory Server to be a consumer of a 4.x supplier
Configurable Options on | off
Default Setting off
Configurable Arguments None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server.
Dependencies database
Performance Related Information None
Further Information See Section 8.15, “Replication with Earlier Releases”.
Table 16.16. Details of Legacy Replication Plug-in

16.1.17. Multi-Master Replication Plug-in

Plug-in Information Description
Plug-in Name Multi-master Replication Plug-in
Configuration Entry DN cn=Multimaster Replication plugin,cn=plugins, cn=config
Description Enables replication between two Directory Servers
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies database
Performance Related Information N/A
Further Information This plug-in can only be turned off if there is only one server, which will never replicate. See also Chapter 8, Managing Replication.
Table 16.17. Details of Multi-Master Replication Plug-in

16.1.18. Octet String Syntax Plug-in

Plug-in Information Description
Plug-in Name Octet String Syntax
Configuration Entry DN cn=Octet String Syntax,cn=plugins,cn=config
Description Syntax for handling octet strings
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.18. Details of Octet String Syntax Plug-in

16.1.19. CLEAR Password Storage Plug-in

Plug-in Information Description
Plug-in Name CLEAR
Configuration Entry DN cn=CLEAR,cn=Password Storage Schemes,cn=plugins, cn=config
Description CLEAR password storage scheme used for password encryption
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See Section 7.1, “Managing the Password Policy”.
Table 16.19. Details of CLEAR Password Storage Plug-in

16.1.20. CRYPT Password Storage Plug-in

Plug-in Information Description
Plug-in Name CRYPT
Configuration Entry DN cn=CRYPT,cn=Password Storage Schemes,cn=plugins, cn=config
Description CRYPT password storage scheme used for password encryption
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See Section 7.1, “Managing the Password Policy”.
Table 16.20. Details of CRYPT Password Storage Plug-in

16.1.21. NS-MTA-MD5 Password Storage Plug-in

Plug-in Information Description
Plug-in Name NS-MTA-MD5
Configuration Entry DN cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins, cn=config
Description NS-MTA-MD5 password storage scheme for password encryption
Configurable Options on | off
Default Setting off
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information Passwords cannot be encrypted using the NS-MTA-MD5 password storage scheme. The storage scheme is present in Directory Server only for reasons of backward compatibility. See Section 7.1, “Managing the Password Policy”.
Table 16.21. Details of NS-MTA-MD5 Password Storage Plug-in

16.1.22. SHA Password Storage Plug-in

Plug-in Information Description
Plug-in Name SHA
Configuration Entry DN
cn=SHA, cn=Password Storage Schemes, cn=plugins, cn=config
cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config
cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
Description SHA password storage scheme for password encryption
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information If the directory does not contain passwords encrypted using the SHA password storage scheme, this plug-in can be turned off. SHA is only included for compatibility with earlier releases; Red Hat recommends use SSHA rather than SHA because SSHA is a far more secure option.
Further Information See Section 7.1, “Managing the Password Policy”.
Table 16.22. Details of SHA Password Storage Plug-in

16.1.23. SSHA Password Storage Plug-in

Plug-in Information Description
Plug-in Name SSHA
Configuration Entry DN
cn=SSHA, cn=Password Storage Schemes, cn=plugins, cn=config
cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config
cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config
cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
Description SSHA password storage scheme for password encryption
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See Section 7.1, “Managing the Password Policy”.
Table 16.23. Details of SSHA Password Storage Plug-in

16.1.24. Postal Address String Syntax Plug-in

Plug-in Information Description
Plug-in Name Postal Address Syntax
Configuration Entry DN cn=Postal Address Syntax,cn=plugins,cn=config
Description Syntax used for handling postal addresses
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.24. Details of Postal Address String Syntax Plug-in

16.1.25. PTA Plug-in

Plug-in Information Description
Plug-in Name Pass-Through Authentication Plug-in
Configuration Entry DN cn=Pass Through Authentication,cn=plugins,cn=config
Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. This plug-in is not listed in the Directory Server Console if the same server is used for the user directory and configuration directory.
Configurable Options on | off
Default Setting off
Configurable Arguments ldap|ldaps://authDS/subtree
Dependencies None
Performance Related Information Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See Chapter 17, Using the Pass-through Authentication Plug-in.
Further Information See Chapter 17, Using the Pass-through Authentication Plug-in.
Table 16.25. Details of PTA Plug-in

16.1.26. Referential Integrity Postoperation Plug-in

Plug-in Information Description
Plug-in Name Referential Integrity Post-Operation
Configuration Entry DN cn=Referential Integrity Post operation,cn=plugins, cn=config
Description Enables the server to ensure referential integrity
Configurable Options All configuration and on | off
Default Setting off
Configurable Arguments When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation. The plug-in can be reconfigured to perform integrity checks on all other attributes:

  • Check for referential integrity.

    -1= no check for referential integrity
    0= check for referential integrity is performed immediately
    Positive integer= request for referential integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request at intervals corresponding to the integer (number of seconds) specified.

  • Log file for storing the change; for example /var/log/dirsrv/slapd-instance_name/referint.

  • All the additional attribute names to be checked for referential integrity.

Dependencies Database
Performance Related Information The Referential Integrity Plug-in should be enabled only on one master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs. All attributes specified must be indexed for both presence and equality.
Further Information See Chapter 10, Managing Indexes for information about how to index attributes used for referential integrity checking.
Table 16.26. Details of Referential Integrity Post-Operation Plug-in

16.1.27. Retro Changelog Plug-in

Plug-in Information Description
Plug-in Name Retro Changelog Plug-in
Configuration Entry DN cn=Retro Changelog Plugin,cn=plugins,cn=config
Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the cn=changelog suffix to clients, so that clients can use this suffix with or without persistent search for simple sync applications.
Configurable Options on | off
Default Setting off
Configurable Arguments See the Directory Server Configuration, Command, and File Reference for further information on the two configuration attributes for the Retro Changelog Plug-in.
Dependencies None
Performance Related Information May slow down Directory Server update performance.
Further Information See Chapter 8, Managing Replication.
Table 16.27. Details of Retro Changelog Plug-in

16.1.28. Roles Plug-in

Plug-in Information Description
Plug-in Name Roles Plug-in
Configuration Entry DN cn=Roles Plugin,cn=plugins,cn=config
Description Enables the use of roles in the Directory Server.
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See Section 5.1, “Using Roles”.
Table 16.28. Details of Roles Plug-in

16.1.29. Space Insensitive String Syntax Plug-in

Plug-in Information Description
Plug-in Name Space Insensitive String Syntax
Configuration Entry DN cn=Space Insensitive String Syntax,cn=plugins,cn=config
Description Syntax for handling space-insensitive values.
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information This plug-in enables the Directory Server to support space and case insensitive values. Applications can search the directory using entries with ASCII space characters. For example, a search or compare operation that uses John Doe will match entries that contain johndoe, john doe, and John Doe if the attribute's schema has been configured to use the space insensitive syntax. For more information about finding directory entries, see Appendix B, Finding Directory Entries.
Table 16.29. Details of Space Insensitive String Syntax Plug-in

16.1.30. State Change Plug-in

Plug-in Information Description
Plug-in Name State Change Plug-in
Configuration Entry DN cn=State Change Plugin,cn=plugins,cn=config
Description Enables state-change-notification service.
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information
Further Information
Table 16.30. Details of State Change Plug-in

16.1.31. Telephone Syntax Plug-in

Plug-in Information Description
Plug-in Name Telephone Syntax
Configuration Entry DN cn=Telephone Syntax,cn=plugins,cn=config
Description Syntax for handling telephone numbers
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.31. Details of Telephone Syntax Plug-in

16.1.32. UID Uniqueness Plug-in

Plug-in Information Description
Plug-in Name UID Uniqueness Plug-in
Configuration Entry DN cn=UID Uniqueness,cn=plugins,cn=config
Description Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique.
Configurable Options on | off
Default Setting off
Configurable Arguments To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN".... However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName". This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute.
Dependencies N/A
Performance Related Information

This plug-in may slow down Directory Server performance. In a multi-master replication environment, the UID Uniqueness Plug-in will not work at all and should therefore not be enabled.

Additionally, this plug-in does not work with referrals the UID Uniqueness Plug-in fails with an operations error if it receives any other error than noSuchObject (meaning that the entry does not already exist), which prevents the new entry from being added. The referral on the subtree returns a different error message, so trying to add a new entry to a subtree with a referral while the UID Uniqueness Plug-in is enabled will fail. To prevent being blocked by such an operations error, disable the plug-in on the server where the referral is created. To run a UID uniqueness check, make sure that the plug-in is only active on the last of the referred-to servers to prevent it from blocking the referral mechanism.

Further Information See Chapter 18, Using the Attribute Uniqueness Plug-in.
Table 16.32. Details of UID Uniqueness Plug-in

16.1.33. URI Plug-in

Plug-in Information Description
Plug-in Name URI Syntax
Configuration Entry DN cn=URI Syntax,cn=plugins,cn=config
Description Syntax for handling URIs (Unique Resource Identifiers), including URLs (Unique Resource Locators)
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information
Table 16.33. Details of URI Plug-in


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.