Chapter 15

Administering Directory Server Plug-ins

---

Red Hat Directory Server (Directory Server) plug-ins extend the functionality of the server. Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available and how to enable or disable them. This chapter is divided into the following sections:

• Server Plug-in Functionality Reference (page 495)
• Enabling and Disabling Plug-ins from the Server Console (page 516)

Server Plug-in Functionality Reference

The following tables provide you with a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading. These tables will allow you to weigh up plug-in performance gains and costs and choose the optimal settings for your deployment. The Further Information heading cross-references further reading, where this is available.

7-bit Check Plug-in

Table 15-1 Details of 7-Bit Check Plug-in  

Plug-in Name	7-bit check (NS7bitAtt)
DN of Configuration Entry	cn=7-bit check,cn=plugins,cn=config
Description	Checks certain attributes are 7-bit clean
Configurable Options	on | off
Default Setting	on
Configurable Arguments	List of attributes (uid mail userpassword) followed by "," and then suffix(es) on which the check is to occur.
Dependencies	None
Performance Related Information	None
Further Information	If your Directory Server uses non-ASCII characters, Japanese, for example, turn this plug-in off.

ACL Plug-in

Table 15-2 Details of ACI Plug-in  

Plug-in Name	ACL Plug-in
DN of Configuration Entry	cn=ACL Plugin,cn=plugins,cn=config
Description	ACL access check plug-in
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	N/A
Further Information	Chapter 6, "Managing Access Control."

ACL Preoperation Plug-in

Table 15-3 Details of Preoperation Plug-in  

Plug-in Name	ACL Preoperation
DN of Configuration Entry	cn=ACL preoperation,cn=plugins,cn=config
Description	ACL access check plug-in
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	database
Performance Related Information	None
Further Information	Chapter 6, "Managing Access Control."

Binary Syntax Plug-in

Table 15-4 Details of Binary Syntax Plug-in  

Plug-in Name	Binary Syntax
DN of Configuration Entry	cn=Binary Syntax,cn=plugins,cn=config
Description	Syntax for handling binary data
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Boolean Syntax Plug-in

Table 15-5 Details of Boolean Syntax Plug-in  

Plug-in Name	Boolean Syntax
DN of Configuration Entry	cn=Boolean Syntax,cn=plugins,cn=config
Description	Syntax for handling booleans
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Case Exact String Syntax Plug-in

Table 15-6 Details of Case Exact String Syntax Plug-in  

Plug-in Name	Case Exact String Syntax
DN of Configuration Entry	cn=Case Exact String Syntax,cn=plugins,cn=config
Description	Syntax for handling case-sensitive strings
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Case Ignore String Syntax Plug-in

Table 15-7 Details of Case Ignore String Syntax Plug-in  

Plug-in Name	Case Ignore String Syntax
DN of Configuration Entry	cn=Case Ignore String Syntax,cn=plugins,cn=config
Description	Syntax for handling case-insensitive strings
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Chaining Database Plug-in

Table 15-8 Details of Cloning Database Plug-in  

Plug-in Name	Chaining Database
DN of Configuration Entry	cn=Chaining database,cn=plugins,cn=config
Description	Syntax for handling DNs
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	Chapter 3, "Configuring Directory Databases."

Class of Service Plug-in

Table 15-9 Details of Class of Service Plug-in  

Plug-in Name	Class of Service
DN of Configuration Entry	cn=Class of Service,cn=plugins,cn=config
Description	Allows for sharing of attributes between entries
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	Chapter 5, "Advanced Entry Management."

Country String Syntax Plug-in

Table 15-10 Details of Country String Plug-in  

Plug-in Name	Country String Syntax Plug-in
DN of Configuration Entry	cn=Country String Syntax,cn=plugins,cn=config
Description	Syntax for handling countries
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Distinguished Name Syntax Plug-in

Table 15-11 Details of Distinguished Name Syntax Plug-in  

Plug-in Name	Distinguished Name Syntax
DN of Configuration Entry	cn=Distinguished Name Syntax,cn=plugins,cn=config
Description	Syntax for handling DNs
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Generalized Time Syntax Plug-in

Table 15-12 Details of Generalized Time Syntax Plug-in  

Plug-in Name	Generalized Time Syntax
DN of Configuration Entry	cn=Generalized Time Syntax,cn=plugins,cn=config
Description	Syntax for dealing with dates, times and time zones
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	The Generalized Time String consists of the following: four digit year two digit month (for example, 01 for January) two digit day, two digit hour two digit minute two digit second decimal part of a second (optional) a time zone indication We strongly recommend that you use the Z time zone indication, which stands for Greenwich Mean Time.

Integer Syntax Plug-in

Table 15-13 Details of Integer Syntax Plug-in  

Plug-in Name	Integer Syntax
DN of Configuration Entry	cn=Integer Syntax,cn=plugins,cn=config
Description	Syntax for handling integers
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Internationalization Plug-in

Table 15-14 Details of Internationalization Plug-in  

Plug-in Name	Internationalization Plug-in
DN of Configuration Entry	cn=Internationalization Plugin,cn=plugins,cn=config
Description	Syntax for handling international characters (in DNs)
Configurable Options	on | off
Default Setting	on
Configurable Arguments	The Internationalization Plug-in has one argument which must not be modified: serverRoot/slapd-serverID/config/slapd-collations.conf This directory stores the collation orders and locales used by the Internationalization Plug-in.
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	See Appendix D, "Internationalization."

ldbm Database Plug-in

Table 15-15 Details of ldbm Database Plug-in  

Plug-in Name	ldbm database Plug-in
DN of Configuration Entry	cn=ldbm database plug-in,cn=plugins,cn=config
Description	Implements local databases
Configurable Options	N/A
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	See Red Hat Directory Server Configuration, Command, and File Reference for further information on ldbm database plug-in attributes.
Further Information	Chapter 3, "Configuring Directory Databases."

Legacy Replication Plug-in

Table 15-16 Details of Legacy Replication Plug-in  

Plug-in Name	Legacy Replication Plug-in
DN of Configuration Entry	cn=Legacy Replication plug-in,cn=plugins,cn=config
Description	Enables this version of Directory Server to be a consumer of a 4.x supplier
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server.
Dependencies	database
Performance Related Information	None
Further Information	Chapter 8, "Managing Replication."

Multi-Master Replication Plug-in

Table 15-17 Details of Multi-Master Replication Plug-in  

Plug-in Name	Multi-master Replication Plug-in
DN of Configuration Entry	cn=Multimaster Replication plugin,cn=plugins, cn=config
Description	Enables replication between two Directory Servers
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	database
Performance Related Information	N/A
Further Information	You can turn this plug-in off if you only have one server, which will never replicate. See also Chapter 8, "Managing Replication."

Octet String Syntax Plug-in

Table 15-18 Details of Octet String Syntax Plug-in  

Plug-in Name	Octet String Syntax
DN of Configuration Entry	cn=Octet String Syntax,cn=plugins,cn=config
Description	Syntax for handling octet strings
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

CLEAR Password Storage Plug-in

Table 15-19 Details of CLEAR Password Storage Plug-in  

Plug-in Name	CLEAR
DN of Configuration Entry	cn=CLEAR,cn=Password Storage Schemes,cn=plugins, cn=config
Description	CLEAR password storage scheme used for password encryption
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	Chapter 7, "User Account Management."

CRYPT Password Storage Plug-in

Table 15-20 Details of CRYPT Password Storage Plug-in  

Plug-in Name	CRYPT
DN of Configuration Entry	cn=CRYPT,cn=Password Storage Schemes,cn=plugins, cn=config
Description	CRYPT password storage scheme used for password encryption
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	Chapter 7, "User Account Management."

NS-MTA-MD5 Password Storage Plug-in

Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-in  

Plug-in Name	NS-MTA-MD5
DN of Configuration Entry	cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins, cn=config
Description	NS-MTA-MD5 password storage scheme for password encryption
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. Red Hat recommends that you leave this plug-in running at all times.
Further Information	You cannot choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is present in Red Hat Directory Server but only for reasons of backward compatibility with earlier versions of Directory Server. See Chapter 7, "User Account Management."

SHA Password Storage Plug-in

Table 15-22 Details of SHA Password Storage Plug-in  

Plug-in Name	SHA
DN of Configuration Entry	cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
Description	SHA password storage scheme for password encryption
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	If your directory does not contain passwords encrypted using the SHA password storage scheme, you may turn this plug-in off. SHA is only included for compatibility with earlier releases; it is recommended that you use SSHA rather than SHA because SSHA is a far more secure option.
Further Information	Chapter 7, "User Account Management."

SSHA Password Storage Plug-in

Table 15-23 Details of SSHA Password Storage Plug-in  

Plug-in Name	SSHA
DN of Configuration Entry	cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
Description	SSHA password storage scheme for password encryption
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	Chapter 7, "User Account Management."

Postal Address String Syntax Plug-in

Table 15-24 Details of Postal Address String Syntax Plug-in  

Plug-in Name	Postal Address Syntax
DN of Configuration Entry	cn=Postal Address Syntax,cn=plugins,cn=config
Description	Syntax used for handling postal addresses
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

PTA Plug-in

Table 15-25 Details of PTA Plug-in  

Plug-in Name	Pass-Through Authentication Plug-in
DN of Configuration Entry	cn=Pass Through Authentication,cn=plugins,cn=config
Description	Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. This plug-in is not listed in Directory Server Console if you use the same server for your user directory and configuration directory.
Configurable Options	on | off
Default Setting	off
Configurable Arguments	ldap://redhat.com:389/o=redhat
Dependencies	None
Performance Related Information	Chapter 16, "Using the Pass-through Authentication Plug-in."
Further Information	Chapter 16, "Using the Pass-through Authentication Plug-in."

Referential Integrity Postoperation Plug-in

Table 15-26 Details of Referential Integrity Postoperation Plug-in  

Plug-in Name	Referential Integrity Postoperation
DN of Configuration Entry	cn=Referential Integrity Postoperation,cn=plugins, cn=config
Description	Enables the server to ensure referential integrity
Configurable Options	All configuration and on | off
Default Setting	off
Configurable Arguments	When enabled, the postoperation Referential Integrity Plug-in performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes. Configurable arguments are as follows: 1. Check for referential integrity -1 = no check for referential integrity 0 = check for referential integrity is performed immediately positive integer = request for referential integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request at intervals corresponding to the integer specified. 2. Log file for storing the change; for example /opt/redhat-ds/logs/referint 3. All the additional attrribute names you want to be checked for referential integrity.
Dependencies	database
Performance Related Information	You should enable the Referential Integrity Plug-in on only one master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, you must be sure to analyze your performance resource and time needs as well as your integrity needs.
Further Information	See "Maintaining Referential Integrity," on page 75.

Retro Changelog Plug-in

Table 15-27 Details of Retro Changelog Plug-in  

Plug-in Name	Retro Changelog Plug-in
DN of Configuration Entry	cn=Retro Changelog Plugin,cn=plugins,cn=config
Description	Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occuring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.
Configurable Options	on | off
Default Setting	off
Configurable Arguments	See Red Hat Directory Server Configuration, Command, and File Reference for further information on the two configuration attributes for the Retro Changelog Plug-in.
Dependencies	None
Performance Related Information	May slow down Directory Server performance.
Further Information	Chapter 8, "Managing Replication."

Roles Plug-in

Table 15-28 Details of Roles Plug-in  

Plug-in Name	Roles Plug-in
DN of Configuration Entry	cn=Roles Plugin,cn=plugins,cn=config
Description	Enables the use of roles in the Directory Server
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	Chapter 5, "Advanced Entry Management."

Space Insensitive String Syntax Plug-in

Table 15-29 Details of Space Insensitive String Syntax Plug-in  

Plug-in Name	Space Insensitive String Syntax
DN of Configuration Entry	cn=Space Insensitive String Syntax,cn=plugins,cn=config
Description	Syntax for handling space-insensitive values
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information	This plug-in enables the Directory Server to support space and case insensitive values. Applications can now search the directory using entries with ASCII space characters. For example, a search or compare operation that uses jOHN Doe will match entries that contain johndoe, john doe, and John Doe. For more information about finding directory entries, see Appendix B, "Finding Directory Entries."

State Change Plug-in

Table 15-30 Details of State Change Plug-in  

Plug-in Name	State Change Plug-in
DN of Configuration Entry	cn=State Change Plugin,cn=plugins,cn=config
Description	Enables state-change-notification service.
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information
Further Information

Telephone Syntax Plug-in

Table 15-31 Details of Telephone Syntax Plug-in  

Plug-in Name	Telephone Syntax
DN of Configuration Entry	cn=Telephone Syntax,cn=plugins,cn=config
Description	Syntax for handling telephone numbers
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

UID Uniqueness Plug-in

Table 15-32 Details of UID Uniqueness Plug-in  

Plug-in Name	UID Uniqueness Plug-in
DN of Configuration Entry	cn=UID Uniqueness,cn=plugins,cn=config
Description	Checks that the values of specified attributes are unique each time a modification occurs on an entry.
Configurable Options	on | off
Default Setting	off
Configurable Arguments	Enter the following arguments: uid "DN" "DN"... if you want to check for uid attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" MarkerObjectclass = "ObjectClassName" and optionally requiredObjectClass = "ObjectClassName" if you want to check for uid attribute uniqueness when adding or updating entries with the requiredObjectClass, starting from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute.
Dependencies	N/A
Performance Related Information	This plug-in may slow down Directory Server performance. In a multi-master replication environment, the UID Uniqueness Plug-in will not work at all and should therefore not be enabled. If you try to add a new entry to a server where the UID Uniqueness Plug-in is enabled and a referral has been created in a subtree, then the UID Uniqueness Plug-in will not work because if it sees any other error apart from noSuchObject (meaning that the entry does not already exist), which it will do if a referral is created, then it will return an operations error preventing you from adding your new entry. To prevent being blocked by such an operations error, disable the plug-in on the server where you created the referral. If, however, you still want to run a UID Uniqueness check, make sure that you only activate the plug-in on the last of the referred-to servers to prevent it from blocking the referral mechanism.
Further Information	Chapter 17, "Using the Attribute Uniqueness Plug-in."

URI Plug-in

Table 15-33 Details of URI Plug-in  

Plug-in Name	URI Syntax
DN of Configuration Entry	cn=URI Syntax,cn=plugins,cn=config
Description	Syntax for handling URIs (Unique Resource Identifiers), including URLs (Unique Resource Locators)
Configurable Options	on | off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance Related Information	Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
Further Information

Enabling and Disabling Plug-ins from the Server Console

To enable and disable plug-ins over LDAP using the Directory Server Console:

1. In the Directory Server Console, select the Configuration tab.
2. Double-click the Plugins folder in the navigation tree.
3. Select the plug-in from the Plugins list.
4. To disable the plug-in, clear the Enabled checkbox. To enable the plug-in, check this checkbox.
5. Click Save.
6. Restart the Directory Server.