Each DSA characteristic attribute is listed below. You can assign
values (using the SET directive) to all of these attributes except
for the Version attribute. You can display the current value of
all of the attributes using the SHOW directive.
Syntax:
SET DSA <attr> <value> [, ...]
SHOW DSA <attr> [, ...]
where <attr> is the attribute name and <value> is the
value. You can specify more than one attribute in a single
directive by separating the attributes with a comma.
For example:
SET DSA AE TITLE="/C=US/CN=DSA3", PASSWORD="mumble"
SHOW DSA AE TITLE, PASSWORD
You can use the ALL CHARACTERISTICS keywords in a SHOW directive,
for example:
SHOW DSA ALL CHARACTERISTICS
Characteristic attributes can be reset to their default values by
specifying the characteristic attribute without a value in a SET
directive. For example, the following command resets the DSA AE
Title attribute to its default value (no value):
SET DSA AE TITLE
1 – Accounting Facility
The Accounting Facility characteristic attribute controls whether the accounting facility is enabled on a DSA. (Note that previous versions of the DSA used an Accounting State attribute. The Accounting State attribute has been withdrawn.) Syntax: SET DSA ACCOUNTING FACILITY <ON/OFF> SHOW DSA ACCOUNTING FACILITY When you enable the accounting facility, the DSA generates the Accounting Enabled event. If the accounting facility cannot be started, the DSA generates the Accounting Start Failure event. When you disable the accounting facility, the DSA generates the Accounting Disabled event. The setting of this attribute is maintained when you disable and re-enable the DSA, and also when you delete and recreate the DSA.
2 – Accounting Options
The Accounting Options characteristic attribute controls the amount
of information included in Operation records in the accounting file.
If this attribute is not set, the DSA provides a summary of user
requests. The information included in Operation records is described
in HP Enterprise Directory - Problem Solving.
If you set this attribute, in addition to summary information,
the DSA can include the protocol data unit (PDU) of the user
request and/or the error returned to the user if the operation is
not successful. The error PDU and request PDU are described in
ITU-T Recommendation X.511.
You can set the attribute such that the DSA includes either the PDU
of a successful user request, the PDU of an error returned in
response to a user request, both, or neither.
Syntax:
SET DSA ACCOUNTING OPTIONS {REQUESTPDU}
SET DSA ACCOUNTING OPTIONS {ERRORPDU}
SET DSA ACCOUNTING OPTIONS {REQUESTPDU, ERRORPDU}
SET DSA ACCOUNTING OPTIONS {}
SHOW DSA ACCOUNTING OPTIONS
To stop the DSA including either the request PDU or the error PDU in
Operation records, enter the following command:
> SET DSA ACCOUNTING_OPTIONS {}
This attribute has no effect if the Accounting Facility status
attribute is set to OFF.
3 – Accounting Rollover Interval
The Accounting Rollover Interval characteristic attribute controls how often the DSA closes the current accounting file and creates a new one, that is, rolls over the accounting file. The interval uses the accounting rollover start time as its starting point. For example, if you set the accounting rollover interval to 6 hours, the first accounting file rollover will take place at the time specified by the Accounting Rollover Start Time attribute, and the second rollover six hours later. Syntax: SET DSA ACCOUNTING ROLLOVER INTERVAL <time> SHOW DSA ACCOUNTING ROLLOVER INTERVAL where <time> is the required interval specified in binary relative time. For example, to make the DSA rollover the accounting file every twelve and a half hours, enter the following: > SET DSA ACCOUNTING ROLLOVER INTERVAL 12:30:00 When the DSA rolls over the accounting file, it generates the Accounting File Rollover event. You can then process the closed accounting files using your decoding and billing utility. On Tru64 UNIX systems, accounting files are stored in the /var/dxd/accounting directory. On OpenVMS systems, accounting files are stored in the directory pointed to by the DXD$ACCOUNTING logical. Note that accounting files are neither purged nor deleted automatically by the DSA. The default setting for this characteristic attribute is 12 hours. This attribute has no effect if the Accounting Facility characteristic attribute is set to OFF.
4 – Accounting Rollover Last Time
This characteristic attribute is read only. It indicates the most recent time at which the accounting file was rolled over, that is, the time at which the previous accounting file was closed and the current accounting file created. Syntax: SHOW DSA ACCOUNTING ROLLOVER LAST TIME The time is displayed in binary absolute time. If a rollover has not occurred since the DSA was created, then this attribute shows the time that the DSA was created.
5 – Accounting Rollover Start Time
This characteristic attribute indicates the first time at which the accounting file is to be rolled over, that is, the time at which the accounting file is to be closed and a new one created for the first time. Syntax: SET DSA ACCOUNTING ROLLOVER START TIME <time> SHOW DSA ACCOUNTING ROLLOVER START TIME where <time> is the required time specified in binary absolute time. For example, if you want the accounting file to be rolled over for the first time at 12:00, enter the following: > SET DSA ACCOUNTING ROLLOVER START TIME 12:00:00 Subsequent accounting file rollovers occur at the interval specified by the Accounting Rollover Interval attribute. This attribute has no effect if the Accounting Facility characteristic attribute is set to OFF.
6 – Accounting Rollover Window
The Accounting Rollover Window characteristic attribute defines the window for closing the current accounting file and creating a new one, that is, for rolling over the accounting file. If the accounting facility cannot roll over the accounting file within the time specified by the accounting rollover window, it continues to use the current accounting file until the next scheduled or unscheduled accounting file rollover. Syntax: SET DSA ACCOUNTING ROLLOVER WINDOW <time> SHOW DSA ACCOUNTING ROLLOVER WINDOW For example, assume the Accounting Rollover Window is set to 30 minutes, the Accounting Rollover Interval to 6 hours, and the Accounting Rollover Start Time to 12:00:00. The accounting facility tries to rollover the accounting file at 12:00. If this rollover is not started by 12:30:00, the accounting facility abandons the attempt and continues to use the current accounting file until the next scheduled rollover at 18:00:00. When the accounting facility performs a scheduled rollover, that is a rollover required by the Accounting Rollover Interval characteristic attribute, it checks that no unscheduled rollover has been performed within the accounting rollover window. If one has, the scheduled rollover is not performed. For example, assume there is a scheduled rollover of the accounting file at 12:00:00. Before the scheduled rollover is performed, there is an unscheduled rollover at 12:10:00. Consequently, the scheduled rollover is not performed. The default setting for this characteristic attribute is 1 hour. This attribute has no effect if the Accounting Facility characteristic attribute is set to OFF.
7 – Accounting Rollover Unscheduled Time
You can use this characteristic attribute to force the accounting facility to immediately rollover the accounting file, that is, close the current accounting file and create a new one. Alternatively, by specifying the required time as the qualifier to this characteristic attribute, you can force the accounting facility to rollover the accounting file at any required time. In either case, this is called an unscheduled accounting file rollover. Syntax: SET DSA ACCOUNTING ROLLOVER UNSCHEDULED TIME <time> SHOW DSA ACCOUNTING ROLLOVER UNSCHEDULED TIME where <time> is the time at which you want the unscheduled accounting file rollover to take place in binary absolute time. If you do not specify a time the DSA performs accounting file rollover immediately. This attribute has no effect if the Accounting Facility characteristic attribute is set to OFF.
8 – AE Title
The AE Title attribute specifies the application entity title of the DSA. The AE Title is unique to this DSA. You specify the AE Title using the SET directive. You cannot enable the DSA until it has an AE title. You must make sure that the AE Title attribute is the same as the distinguished name of the directory entry that represents this DSA in the DIT. Refer to HP Enterprise Directory - Management for further details. The DSA must be in state OFF when you set the AE Title attribute. Syntax: SET DSA AE TITLE "<name>" SHOW DSA AE TITLE Refer to DSA Common_Datatypes for information on the syntax of an AE Title.
9 – Archived Update Log Number
By default, the DSA will not keep prior versions of the Update Log File that it no longer needs. These log files are also used for incremenetal shadowing, so removal of earlier update log files may cause some shadowing agreements to perform a total update. The Archived Update Log Number attribute prevents the DSA from deleting the Update Log File. If this attribute is set to a number greater than zero, then all update logs files beyond this number will be preserved. Syntax: SET DSA ARCHIVED UPDATE LOG NUMBER <value> SHOW DSA ARCHIVED UPDATE LOG NUMBER
10 – DIT Check Interval
The DIT Check Interval attribute defines how often the DSA writes its database to disk. When you modify directory entries, the DSA applies the modifications to the copy of the database that it holds in memory. It also keeps a log of all modifications in an update log file. After every DIT check interval, the DSA writes the database to disk. It then opens a new update log file for the next interval. In the event of a system problem, the DSA can recover its database by reading it from disk and applying the changes logged in the most recent update log file. Syntax: SET DSA DIT CHECK INTERVAL "<time>" SHOW DSA DIT CHECK INTERVAL The full syntax for specifying a time is as follows: DDD-HH:MM:SS where DDD is days, HH is hours, MM is minutes, and SS is seconds. If you specify more than 366 days, the DSA uses 366 days as its DIT check interval. The DSA displays the value you specified if you use the SHOW directive. The default value is "12:00:00", indicating 12 hours. If you have a DSA that handles a lot of modifications, then you might want to specify a shorter interval. This prevents the update log file from becoming too large.
11 – DIT Check Last Time
This attribute records the time of the last DIT check, that is, the last time that the DSA wrote its database to disk and created a new update log. This is a read-only attribute. Syntax: SHOW DSA DIT CHECK LAST TIME
12 – DIT Check Window
This attribute specifies the duration of the DIT check window. If the DSA fails to write its database to disk within this window, the attempt is delayed until the next scheduled DIT check. Syntax: SET DSA DIT CHECK WINDOW "<time>" SHOW DSA DIT CHECK WINDOW The full syntax for specifying a time is as follows: DDD-HH:MM:SS where DDD is days, HH is hours, MM is minutes, and SS is seconds. If you specify more than 366 days, the DSA uses 366 days as its DIT check window. The DSA displays the value you specified if you use the SHOW directive. The default value is 01:00:00, or one hour.
13 – DIT Check Unscheduled Time
Use this attribute to specify a time when the DSA must write its database to disk and create a new update log file. If you specify no time or a time in the past, the DSA writes its database immediately. This attribute has no effect on the normal schedule. Syntax: SET DSA DIT CHECK UNSCHEDULED TIME "<time>" SHOW DSA DIT CHECK UNSCHEDULED TIME For example: > SET DSA DIT CHECK UNSCHEDULED TIME "1995-01-05-01:12:00"
14 – DIT Check Start Time
This characteristic attribute indicates the first time at which the DSA is to write its database to disk and open a new update log file. Syntax: SET DSA DIT CHECK START TIME "<time>" SHOW DSA DIT CHECK START TIME where <time> is the required time specified in binary absolute time. For example, if you want the DSA to write the database for the first time at midday, enter the following: > SET DSA DIT CHECK START TIME "12:00" The DSA then writes the database to disk at regular intervals after the specified start time. The intervals are defined by the DIT Check Interval attribute.
15 – Dereference Aliases On Modify
The Dereference Aliases on Modify attribute specifies whether alias names can be used in modification requests, such as the DXIM CREATE ENTRY, MODIFY ENTRY, DELETE ENTRY and RENAME ENTRY commands. If this attribute is set to TRUE, then alias names can be used in modifications if the user so desires. For example, a DXIM command line user can use the Dereference Aliases control to indicate that they want alias names dereferenced for a particular command. This means that the user can refer to the entry that they want to modify by means of its distinguished name or any valid alias name for that entry. If the attribute is set to FALSE, then alias names are never dereferenced for modifications, regardless of user specification. This means that a user must refer to the entry they want to modify by means of its distinguished name. If they use an alias name, even a valid one, the command fails. The default value is FALSE. (Note that when displaying entries, the default behaviour is to dereference aliases.) Syntax: SET DSA DEREFERENCE ALIASES ON MODIFY <TRUE/FALSE>
16 – Examples
> SET DSA PRESENTATION ADDRESS -
_> '"DSA"/"DSA"/"DSA"/NS+49002aaa0004000aaaaa,CLNS'
> SHOW DSA PRESENTATION ADDRESS
The first command assigns a presentation address to the DSA
and the second command displays this address.
> SET DSA AE TITLE "/C=US/O=Abacus/CN=DSA1"
> SHOW DSA AE TITLE
The first command assigns an AE title to the
DSA and the second command displays it.
> SHOW DSA VERSION, AE TITLE, SIZE LIMIT
This command displays the value of three
characteristic attributes.
> SHOW DSA ALL CHARACTERISTICS
This command displays the value of all characteristic
attributes.
17 – Idle Disconnect Timer
The Idle Disconnect Timer attribute specifies how long a connection can remain unused before timing out. The value is specified in seconds. This ensures that system resources are not being consumed by inactive associations. The default value is 300 seconds. Syntax: SET DSA IDLE DISCONNECT TIMER <seconds> SHOW DSA IDLE DISCONNECT TIMER A value of 0 seconds indicates that idle connections are never disconnected by the DSA. This is not advisable.
18 – Password
The Password attribute contains the password of the DSA. This is used by the DSA to identify itself to another DSA when it needs to contact that DSA. The Password must match the userPassword attribute of the directory entry representing this DSA. If you change the password of the DSA, you must do so in both places. The password must be between 1 and 128 characters long. There is no default value. If a DSA does not have a password, it cannot replicate information, and might have difficulty passing user requests on to other DSAs. Syntax: SET DSA PASSWORD <value>
19 – LDAP Cipher Suites
The LDAP Cipher Suites attribute specifies which SSL Cipher Suites will be available for SSL connections. If this attribute is not set, then the DSA will accept any of the ciphersuites in the SSL default list. This attribute allows you to restrict the DSA to a subset of the ciphersuites available in SSL. The value is a quoted string, listing each ciphersuite to be allowed, separated by a ':'. The DSA must be in state OFF for you to set this attribute. Syntax: SET DSA LDAP CIPHERSUITE "<value>:<value>..." SHOW DSA LDAP CIPHERSUITE
20 – LDAP Port
The LDAP Port attribute is the port number that the DSA listens on for LDAP protocol, when you enable the DSA. You must set the LDAP Port to a non-zero integer, while the DSA is in the OFF state. If the port number is set to zero, the DSA does not listen for LDAP requests. Syntax: SET DSA LDAP PORT <value> SHOW DSA LDAP PORT
21 – LDAP Security Protocol
Specify the security protocol to be used on this port. The DSA must be in state OFF, before you can set this attribute. Syntax: SET DSA LDAP SECURITY PROTOCOL <"SSLv2"/"SSLv3"/"SSLv23"/"TLSv1"> SHOW DSA LDAP SECURITY PROTOCOL
22 – Presentation Address
You cannot enable the DSA until it has a valid presentation address. The DSA must be in the OFF state when you set its Presentation Address attribute. Note that the easiest way to set a DSA's presentation address is to use the DSA configuration procedure. Syntax: SET DSA PRESENTATION ADDRESS <address> SHOW DSA PRESENTATION ADDRESS Quote the entire presentation address using the ' character. Do not attempt to break the presentation address across multiple command lines. Either use a wide window, or simply allow the presentation address to wrap. Refer to HP Enterprise Directory - Management for details of how to use the DSA configuration procedure to set a DSA's presentation address. Refer to DSA Common_Datatypes for further information on the syntax of the Presentation Address attribute.
23 – Private Key Passphrase
If you want use SSL on LDAP connections to protect the security of the authentication phase, you need to obtain a certificate for the DSA. The certificate will have a Private Key that the DSA can use to validate the certificate exchange. This Private Key is usually encrypted using a pass phrase chosen by the user. If you are using SSL, you need to obtain a certificate and private key for the DSA in PEM format, either from a Certificate Authority or from SSL and store these in the DSA's directory area as DSA-certificate.pem and DSA-private-key.pem. You also need to tell the DSA what is the passphrase for the private key, by setting the PRIVATE KEY PASSPHRASE attribute. This is a password attribute, so you cannot SHOW it. Syntax: SET DSA PRIVATE KEY PASSPHRASE "<value>"
24 – Prohibit Chaining
The Prohibit Chaining attribute specifies whether the DSA is allowed to communicate with other DSAs when attempting to satisfy user requests. Communication between DSAs is called chaining. The DSA must be in state OFF when you set this attribute. Syntax: SET DSA PROHIBIT CHAINING <TRUE/FALSE> To prohibit chaining, specify the value TRUE; otherwise the value specified by the user or the user application is used. For example, a user of the DXIM command line interface can use the No Chaining control. If a DSA is prohibited from communicating with other DSAs, then it provides the user or the application with a "continuation reference" or a "referral" instead. These identify which DSA(s) would have been contacted, and provide the user with the information they require to make the connection(s) directly if they want to. For ease of use, it is usually preferable not to prohibit chaining. Note that prohibiting chaining does not prevent DSAs from connecting to other DSAs for other reasons, such as replication.
25 – Prohibit DECnet Transport
The Prohibit DECnet Transport attribute specifies whether the DSA can use the DECnet OSI Transport protocol to communicate with DUAs and other DSAs. If the use of DECnet OSI Transport protocol is prohibited, then all communication will use the DSA's private RFC1006 implementation rather than DECnet's transports. If DECnet is running you will most likely not be able to use TCP/IP port 102 as DECnet will have allocated it. The DSA must be in state OFF when you set this attribute. Syntax: SET DSA PROHIBIT DECNET TRANSPORT <TRUE/FALSE> SHOW DSA PROHIBIT DECNET TRANSPORT
26 – Read Only DSA NSAPs
The Read Only DSA NSAPs attribute identifies one or more DSAs
that are allowed to contact this DSA and perform interrogations
on behalf of their users. Each DSA is represented by the NSAP
value of its presentation address.
Syntax:
SET DSA READ ONLY DSA NSAPS {<address>, ....}
where <address> is the NSAP address, for example:
SET DSA READ ONLY DSA NSAPS {%x49002aaa00040008aa21}
You can specify the leading characters of an NSAP to indicate
that read-only access is allowed for any DSA using an NSAP
beginning with that sequence of characters. For example:
SET DSA READ ONLY DSA NSAPS {%x49002a}
The default value is an empty list of NSAP addresses, indicating
that all NSAPs are allowed. If the attribute specifies one or more
NSAPs, then only DSAs using those NSAPs are allowed to perform
interrogations of this DSA.
Note that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is treated as a read-only DSA for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
27 – Read Only DSA Names
The Read Only DSA Names attribute lists the AE title of each DSA
allowed to access this DSA to perform interrogations on behalf of
their users.
Syntax:
SET DSA READ ONLY DSA NAMES {<aetitle>, ....}
where <aetitle> is the AE title of a DSA. For example:
"/C=US/O=Abacus/OU=Sales/CN=DSA1"
Refer to DSA Common_Datatypes for more information
on how to specify an AE title.
The default value is an empty list of AE titles, indicating
that any DSA is allowed to interrogate this DSA (subject to other
controls). If one or more AE titles are specified in this
attribute, then only those DSAs are allowed to interrogate this DSA.
Note also that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is treated as a read-only DSA for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
28 – Reader NSAPs
The Reader NSAPs attribute lists the NSAP addresses
that directory applications can use to access the DSA and perform
interrogations.
Note that this is not the recommended way to implement controls
on user access to directory information. Refer to HP Enterprise
Directory - Management for access control advice.
Syntax:
SET DSA READER NSAPS {<address>, ....}
where <address> is the NSAP address, for example:
SET DSA READER NSAPS {%x49002aaa00040008aa21}
You can specify the leading characters of an NSAP to indicate
that read-only access is allowed for any application using an
NSAP beginning with that sequence of characters. For example:
SET DSA READER NSAPS {%x49002a}
The default value is an empty set of NSAP addresses, indicating
that applications can use any NSAP.
Note that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is allowed read access for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
29 – Reader Names
The Reader Names attribute lists the distinguished names of
users permitted to access the DSA and perform interrogations.
Note that this is not the recommended way to implement controls
on user access to directory information. Refer to HP Enterprise
Directory - Management for access control advice.
Syntax:
SET DSA READER NAMES {<name>, ....}
where <name> is the distinguished name of a user, for example:
"/C=US/O=Abacus/OU=Sales/CN='Jon Smith'"
Refer to DSA Common_Datatypes for more information
on how to specify a distinguished name.
If the attribute contains no names, then all users can
interrogate the DSA (subject to access controls, and to the
setting of the Reader NSAPs and the Writer Names and
Writer NSAPs attributes).
The default value is an empty list of distinguished names,
allowing all users to read information, subject to other
attributes and access controls.
Note that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is allowed read access for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
30 – Schema Check On Modify
The Schema Check on Modify attribute specifies whether the DSA checks modifications for conformance with the schema. Syntax: SET DSA SCHEMA CHECK ON MODIFY <TRUE/FALSE> If you do not want the DSA to use the schema to ensure that modifications are valid, set this attribute to FALSE. Note that if directory modifications are not checked against the schema, you can easily corrupt your directory information. It is not advisable to set this attribute to FALSE unless you are sure that all requests for modification will be valid. One reason to set this attribute to FALSE temporarily might be because you want to use a script file to execute a large number of commands which you are sure are all valid. The DSA can process such a file more quickly, but you must be confident that the file contains no invalid commands. For example, if the file contains a request to add an attribute to an entry for which it is not allowed, then you will have created an invalid entry.
31 – Size Limit
The Size Limit attribute specifies the maximum number of entries that can be returned when satisfying a user request. Most directory operations only return one entry, but some, such as searches, can return many entries. Syntax: SET DSA SIZE LIMIT <number> The limit specified using this characteristic attribute overrides the value specified by the user application, if the application requests a larger number. The default value is 0, indicating that there is no limit on the number of entries that can be returned unless the application specifies one.
32 – SSL LDAP Cipher Suites
The SSL LDAP Cipher Suites attribute specifies which SSL Cipher Suites will be available for SSL connections through the dedicated SSL LDAP port. If this attribute is not set, then the DSA will accept any of the ciphersuites in the SSL default list. This attribute allows you to restrict the DSA to a subset of the ciphersuites available in SSL. The value is a quoted string, listing each ciphersuite to be allowed, separated by a ':'. The DSA must be in state OFF for you to set this attribute. Syntax: SET DSA SSL LDAP CIPHERSUITES "<value>:<value>..." SHOW DSA SSL LDAP CIPHERSUITES
33 – SSL LDAP Port
The SSL LDAP Port attribute is the port number of the dedicated SSL LDAP port that the DSA listens on for SSL messages, when you enable the DSA. Unlike the LDAP port, which can establish LDAP connections with or without SSL, the SSL_LDAP_port will refuse all LDAP connections that do not specify SSL. You must set the SSL LDAP Port to a non-zero integer, while the DSA is in the OFF state. If the port number is zero, the DSA does not listen for SSL requests. Syntax: SET DSA SSL LDAP PORT <value> SHOW DSA SSL LDAP PORT
34 – SSL LDAP Security Protocol
Specify the security protocol to be used on the SSL LDAP port. The DSA must be in state OFF, when you set this attribute. Syntax: SET DSA SSL LDAP SECURITY PROTOCOL <"SSLv2"/"SSLv3"/"SSLv23"/"TLSv1"> SHOW DSA SSL LDAP SECURITY PROTOCOL
35 – SSL State
The overall policy for SSL is controlled by the setting of the DSA characteristic SSL STATE. Syntax: SET DSA SSL STATE <state> SHOW DSA SSL STATE Values for this characteristic are: "On" SSL is enabled. "Off" SSL is not enabled. SSL negotiation on the LDAP port will be refused. "Mandatory" SSL is enabled and SSL must be negotiated on the LDAP port before any authenticated bind operation. Only unauthenticated operations can be performed on the normal LDAP port before SSL negotiation.
36 – Time Limit
The Time Limit attribute specifies the time, in seconds, within which a directory request must be completed. The value specified using this characteristic attribute limits the ability of user applications to specify a time limit. Syntax: SET DSA TIME LIMIT <seconds> The default value is 0, indicating that there is no time limit unless the application specifies one. The DSA makes frequent checks to see whether it has exceeded the time limit, and stops processing a request as soon as one of these checks indicates that the time limit has been exceeded. Any results that have been found within the time limit are presented to the user, with a Partial Results Displayed message.
37 – Trusted DSA NSAPs
The Trusted DSA NSAPs attribute contains a list of NSAP
addresses through which DSAs can contact this DSA and perform
chained read and chained modify operations.
Syntax:
SET DSA TRUSTED DSA NSAPS {<address>, ....}
where <address> is the NSAP address, for example:
SET DSA TRUSTED DSA NSAPS {%x49002aaa00040008aa21}
The default value is an empty set of NSAP addresses, indicating
that all NSAPs are allowed.
You can specify the leading characters of an NSAP to indicate
that trusted access is allowed for any DSA using an
NSAP beginning with that sequence of characters. For example:
SET DSA TRUSTED DSA NSAPS {%x49002a}
The default value is an empty set of NSAP addresses, indicating
that DSAs can use any NSAP.
Trusted access is required by DSAs that are attempting to chain
a requested for an authenticated user. This DSA must decide
whether the calling DSA is to be trusted when it claims to have
authenticated the user satisfactorily.
Note that this attribute has no effect on DSA communications
for other purposes, such as replication.
Note also that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is treated as a trusted DSA for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
38 – Trusted DSA Names
The Trusted DSA Names attribute can contain a list of trusted
DSAs.
Syntax:
SET DSA TRUSTED DSA NAMES {<aetitle>, ....}
where <aetitle> is the AE title of a DSA that is to be trusted,
for example:
"/C=US/O=Abacus/OU=Sales/CN=DSA1"
The list contains the AE title of each trusted DSA.
Refer to DSA Common_Datatypes for more information
on how to specify an AE title.
The default value is an empty list of AE titles, which means
that this DSA trusts no other DSAs.
Trust enables this DSA to accept another DSA's claim that
a user has authenticated satisfactorily. This enables chained
requests to be satisfied, rather than requiring a user to
authenticate specifically to the DSA that holds the information
they want to access.
Note that this attribute is not the recommended way to implement
trust between DSAs. Refer to the management guide for details of
how to create directory entries to represent trusted DSAs.
Note also that this attribute has no effect on DSA communications
for other purposes, such as replication.
Note also that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is treated as a trusted DSA for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
39 – Version
The Version attribute displays the version number of the DSA. The value is read-only. Syntax: SHOW DSA VERSION
40 – Volatile Modifications
The Volatile Modifications attribute specifies whether the DSA writes all modifications to disk immediately, or delays writing modifications to disk. Syntax: SET DSA VOLATILE MODIFICATIONS <TRUE/FALSE> If the attribute is set to FALSE, then the DSA always writes modifications to disk immediately after applying them to its in-memory database. This ensures that modifications are never lost, but reduces DSA performance for modification operations. If the attribute is set to TRUE, then modifications are written to memory immediately, but may not be written to disk for up to fifteen seconds. This means it is possible that some modifications may be lost if a DSA exits abnormally. However, the DSA can process volatile modifications much faster than non-volatile modifications. The default value is FALSE. HP suggests that you set the attribute to TRUE, unless you have a strong requirement to ensure that modifications are never lost. The attribute can be set at any time, regardless of the state of the DSA.
41 – Writer NSAPs
This attribute lists the NSAP addresses that directory
applications can use to communicate with this DSA and modify
directory information. Any application attempting to use
an unlisted NSAP is not allowed to modify information held by
this DSA. It might be able to read information, subject to
the Reader_NSAPs attribute. Having write access automatically
gives read access as well.
Note that this attribute is not the recommended way to implement
access control. Refer to HP Enterprise Directory
- Management for access control advice.
Syntax:
SET DSA WRITER NSAPS {<address>, ....}
where <address> is the NSAP address, for example:
SET DSA WRITER NSAPS {%x49002aaa00040008aa21}
You can specify the leading characters of an NSAP to indicate
that access is allowed for any application using an NSAP beginning
with that sequence of characters. For example:
SET DSA WRITER NSAPS {%x49002a}
The default value is an empty set of NSAP addresses, indicating
that an application can use any NSAP.
Note also that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is allowed write access for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.
42 – Writer Names
The Writer Names attribute lists the distinguished
names of users permitted to modify information held by this DSA.
Having write access automatically gives read access as well.
Syntax:
SET DSA WRITER NAMES {<name>, ....}
where <name> is the distinguished name of a user, for example:
"/C=US/O=Abacus/OU=Sales/CN='Jon Smith'"
Refer to DSA Common_Datatypes for more information
on how to specify a distinguished name.
Note that this is not the recommended way to implement controls
on user access to directory information. Refer to HP Enterprise
Directory - Management for access control advice.
If the attribute specifies no names, then the DSA places no
restriction on access, (subject to access controls, and to the
settings of Writer NSAPs, Reader Names, and Reader NSAPs
characteristic attributes). However, if any names are listed,
then only those users have access to information.
The default value is an empty set of distinguished names, allowing
all users to access information, subject to other attributes and
access controls.
Note also that the DSA refers to the value of this attribute
whenever it receives a new connection. Once a connection is
established, the caller is allowed write access for as
long as the connection lasts. Changing the value of the
attribute has no effect on existing connections, only on
subsequent connections.