DSCTL(1) Generated Python Manual DSCTL(1) NAME dsctl SYNOPSIS dsctl [-h] [-v] [-j] [-l] [instance] {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get- nsstate,ldifgen,dsrc,cockpit,dblib} ... POSITIONAL ARGUMENTS dsctl restart Restart an instance of Directory Server, if it is running: else start it. dsctl start Start an instance of Directory Server, if it is not currently running dsctl stop Stop an instance of Directory Server, if it is currently running dsctl status Check running status of an instance of Directory Server dsctl remove Destroy an instance of Directory Server, and remove all data. dsctl db2index Initialise a reindex of the server database. The server must be stopped for this to proceed. dsctl db2bak Initialise a BDB backup of the database. The server must be stopped for this to proceed. dsctl db2ldif Initialise an LDIF dump of the database. The server must be stopped for this to proceed. dsctl dbverify Perform a db verification. You should only do this at direction of support dsctl bak2db Restore a BDB backup of the database. The server must be stopped for this to proceed. dsctl ldif2db Restore an LDIF dump of the database. The server must be stopped for this to proceed. dsctl backups List backup's found in the server's default backup directory dsctl ldifs List all the LDIF files located in the server's LDIF directory dsctl tls Manage TLS certificates dsctl healthcheck Run a healthcheck report on a local Directory Server instance. This is a safe and read-only operation. Do not attempt to run this on a remote Directory Server as this tool needs access to local resources, otherwise the report may be inaccurate. dsctl get-nsstate Get the replication nsState in a human readable format Replica DN: The DN of the replication configuration entry Replica Suffix: The replicated suffix Replica ID: The Replica identifier Gen Time The time the CSN generator was created Gen Time String: The time string of generator Gen as CSN: The generation CSN Local Offset: The offset due to the local clock being set back Local Offset String: The offset in a nice human format Remote Offset: The offset due to clock difference with remote systems Remote Offset String: The offset in a nice human format Time Skew: The time skew between this server and its replicas Time Skew String: The time skew in a nice human format Seq Num: The number of multiple csns within a second System Time: The local system time Diff in Seconds: The time difference in seconds from the CSN generator creation to now Diff in days/secs: The time difference broken up into days and seconds Endian: Little/Big Endian dsctl ldifgen LDIF generator to make sample LDIF files for testing dsctl dsrc Manage the .dsrc file dsctl cockpit Enable the Cockpit interface/UI dsctl dblib database library (i.e bdb/lmdb) migration COMMAND 'dsctl restart' usage: dsctl [instance] restart [-h] COMMAND 'dsctl start' usage: dsctl [instance] start [-h] COMMAND 'dsctl stop' usage: dsctl [instance] stop [-h] COMMAND 'dsctl status' usage: dsctl [instance] status [-h] COMMAND 'dsctl remove' usage: dsctl [instance] remove [-h] [--do-it] OPTIONS 'dsctl remove' --do-it By default we do a dry run. This actually initiates the removal of the instance. COMMAND 'dsctl db2index' usage: dsctl [instance] db2index [-h] [--attr [ATTR ...]] [backend] backend The backend to reindex. IE userRoot OPTIONS 'dsctl db2index' --attr [ATTR ...] The attribute's to reindex. IE --attr aci cn givenname COMMAND 'dsctl db2bak' usage: dsctl [instance] db2bak [-h] [archive] archive The destination for the archive. This will be created during the db2bak process. COMMAND 'dsctl db2ldif' usage: dsctl [instance] db2ldif [-h] [--replication] [--encrypted] backend [ldif] backend The backend to output as an LDIF. IE userRoot ldif The path to the ldif output location. OPTIONS 'dsctl db2ldif' --replication Export replication information, suitable for importing on a new consumer or backups. --encrypted Export encrypted attributes COMMAND 'dsctl dbverify' usage: dsctl [instance] dbverify [-h] backend backend The backend to verify. IE userRoot COMMAND 'dsctl bak2db' usage: dsctl [instance] bak2db [-h] archive archive The archive to restore. This will erase all current server databases. COMMAND 'dsctl ldif2db' usage: dsctl [instance] ldif2db [-h] [--encrypted] backend ldif backend The backend to restore from an LDIF. IE userRoot ldif The path to the ldif to import OPTIONS 'dsctl ldif2db' --encrypted Import encrypted attributes COMMAND 'dsctl backups' usage: dsctl [instance] backups [-h] [--delete DELETE] OPTIONS 'dsctl backups' --delete DELETE Delete backup directory COMMAND 'dsctl ldifs' usage: dsctl [instance] ldifs [-h] [--delete DELETE] OPTIONS 'dsctl ldifs' --delete DELETE Delete LDIF file COMMAND 'dsctl tls' usage: dsctl [instance] tls [-h] {list-ca,list-client-ca,show-server-cert,show-cert,generate-server-cert-csr,import-client-ca,import-ca,import-server-cert,import-server-key-cert,remove-cert,export-cert} ... POSITIONAL ARGUMENTS 'dsctl tls' dsctl tls list-ca list server certificate authorities including intermediates dsctl tls list-client-ca list client certificate authorities including intermediates dsctl tls show-server-cert Show the active server certificate that clients will see and verify dsctl tls show-cert Show a certificate's details referenced by it's nickname. This is analogous to certutil -L -d -n dsctl tls generate-server-cert-csr Generate a Server-Cert certificate signing request - the csr is then submitted to a CA for verification, and when signed you import with import-ca and import-server-cert dsctl tls import-client-ca Import a CA trusted to issue user (client) certificates. This is part of how client certificate authentication functions. dsctl tls import-ca Import a CA or intermediate CA for signing this servers certificates (aka Server-Cert). You should import all the CA's in the chain as required. PEM bundles are accepted dsctl tls import-server-cert Import a new Server-Cert after the csr has been signed from a CA. dsctl tls import-server-key-cert Import a new key and Server-Cert after having been signed from a CA. This is used if you have an external csr tool or a service like lets encrypt that generates PEM keys externally. dsctl tls remove-cert Delete a certificate from this database. This will remove it from acting as a CA, a client CA or the Server-Cert role. dsctl tls export-cert Export a certificate to PEM or DER/Binary format. PEM format is the default COMMAND 'dsctl tls list-ca' usage: dsctl [instance] tls list-ca [-h] COMMAND 'dsctl tls list-client-ca' usage: dsctl [instance] tls list-client-ca [-h] COMMAND 'dsctl tls show-server-cert' usage: dsctl [instance] tls show-server-cert [-h] COMMAND 'dsctl tls show-cert' usage: dsctl [instance] tls show-cert [-h] nickname nickname The nickname (friendly name) of the certificate to display COMMAND 'dsctl tls generate-server-cert-csr' usage: dsctl [instance] tls generate-server-cert-csr [-h] [--subject SUBJECT] [alt_names ...] alt_names Certificate requests subject alternative names. These are auto-detected if not provided OPTIONS 'dsctl tls generate-server-cert-csr' --subject SUBJECT, -s SUBJECT Certificate Subject field to use COMMAND 'dsctl tls import-client-ca' usage: dsctl [instance] tls import-client-ca [-h] cert_path nickname cert_path The path to the x509 cert to import as a client trust root nickname The name of the certificate once imported COMMAND 'dsctl tls import-ca' usage: dsctl [instance] tls import-ca [-h] cert_path nickname [nickname ...] cert_path The path to the x509 cert to import as a server CA nickname The name of the certificate once imported COMMAND 'dsctl tls import-server-cert' usage: dsctl [instance] tls import-server-cert [-h] cert_path cert_path The path to the x509 cert to import as Server-Cert COMMAND 'dsctl tls import-server-key-cert' usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path cert_path The path to the x509 cert to import as Server-Cert key_path The path to the x509 key to import associated to Server-Cert COMMAND 'dsctl tls remove-cert' usage: dsctl [instance] tls remove-cert [-h] nickname nickname The name of the certificate to delete COMMAND 'dsctl tls export-cert' usage: dsctl [instance] tls export-cert [-h] [--binary-format] [--output-file OUTPUT_FILE] nickname nickname The name of the certificate to export OPTIONS 'dsctl tls export-cert' --binary-format Export certificate in DER/binary format --output-file OUTPUT_FILE The name for the exported certificate. Default name is the certificate nickname with an extension of ".pem" or ".crt" COMMAND 'dsctl healthcheck' usage: dsctl [instance] healthcheck [-h] [--list-checks] [--list-errors] [--dry-run] [--check CHECK [CHECK ...]] OPTIONS 'dsctl healthcheck' --list-checks List of known checks --list-errors List of known error codes --dry-run Do not execute the actual check, only list what would be done --check CHECK [CHECK ...] Areas to check. These can be obtained by --list-checks. Every element on the left of the colon (:) may be replaced by an asterisk if multiple options on the right are available. COMMAND 'dsctl get-nsstate' usage: dsctl [instance] get-nsstate [-h] [--suffix SUFFIX] [--flip FLIP] OPTIONS 'dsctl get-nsstate' --suffix SUFFIX The DN of the replication suffix to read the state from --flip FLIP Flip between Little/Big Endian, this might be required for certain architectures COMMAND 'dsctl ldifgen' usage: dsctl [instance] ldifgen [-h] {users,groups,cos-def,cos-template,roles,mod-load,nested} ... POSITIONAL ARGUMENTS 'dsctl ldifgen' dsctl ldifgen users Generate a LDIF containing user entries dsctl ldifgen groups Generate a LDIF containing groups and members dsctl ldifgen cos-def Generate a LDIF containing a COS definition (classic, pointer, or indirect) dsctl ldifgen cos-template Generate a LDIF containing a COS template dsctl ldifgen roles Generate a LDIF containing a role entry (managed, filtered, or indirect) dsctl ldifgen mod-load Generate a LDIF containing modify operations. This is intended to be consumed by ldapmodify. dsctl ldifgen nested Generate a heavily nested database LDIF in a cascading/fractal tree design COMMAND 'dsctl ldifgen users' usage: dsctl [instance] ldifgen users [-h] [--number NUMBER] [--suffix SUFFIX] [--parent PARENT] [--generic] [--start-idx START_IDX] [--rdn-cn] [--localize] [--ldif-file LDIF_FILE] OPTIONS 'dsctl ldifgen users' --number NUMBER The number of users to create. --suffix SUFFIX The database suffix where the entries will be created. --parent PARENT The parent entry that the user entries should be created under. If not specified, the entries are stored under random Organizational Units. --generic Create generic entries in the format of "uid=user####". These entries are also compatible with ldclt. --start-idx START_IDX For generic LDIF's you can choose the starting index for the user entries. The default is "0". --rdn-cn Use the attribute "cn" as the RDN attribute in the DN instead of "uid" --localize Localize the LDIF data --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl ldifgen groups' usage: dsctl [instance] ldifgen groups [-h] [--number NUMBER] [--suffix SUFFIX] [--parent PARENT] [--num-members NUM_MEMBERS] [--create-members] [--member-parent MEMBER_PARENT] [--member-attr MEMBER_ATTR] [--ldif-file LDIF_FILE] NAME NAME The group name. OPTIONS 'dsctl ldifgen groups' --number NUMBER The number of groups to create. --suffix SUFFIX The database suffix where the groups will be created. --parent PARENT The parent entry that the group entries should be created under. If not specified the groups are stored under the suffix. --num-members NUM_MEMBERS The number of members in the group. Default is 10000 --create-members Create the member user entries. --member-parent MEMBER_PARENT The entry DN that the members should be created under. The default is the suffix entry. --member-attr MEMBER_ATTR The membership attribute to use in the group. Default is "uniquemember". --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl ldifgen cos-def' usage: dsctl [instance] ldifgen cos-def [-h] [--type TYPE] [--parent PARENT] [--create-parent] [--cos-specifier COS_SPECIFIER] [--cos-template COS_TEMPLATE] [--cos-attr [COS_ATTR ...]] [--ldif-file LDIF_FILE] NAME NAME The COS definition name. OPTIONS 'dsctl ldifgen cos-def' --type TYPE The COS definition type: "classic", "pointer", or "indirect". --parent PARENT The parent entry that the COS definition should be created under. --create-parent Create the parent entry --cos-specifier COS_SPECIFIER Used in a classic COS definition, this attribute located in the user entry is used to select which COS template to use. --cos-template COS_TEMPLATE The DN of the COS template entry, only used for "classic" and "pointer" COS definitions. --cos-attr [COS_ATTR ...] A list of attributes which defines which attribute the COS generates values for. --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl ldifgen cos-template' usage: dsctl [instance] ldifgen cos-template [-h] [--parent PARENT] [--create-parent] [--cos-priority COS_PRIORITY] [--cos-attr-val COS_ATTR_VAL] [--ldif-file LDIF_FILE] NAME NAME The COS template name. OPTIONS 'dsctl ldifgen cos-template' --parent PARENT The DN of the entry to store the COS template entry under. --create-parent Create the parent entry --cos-priority COS_PRIORITY Sets the priority of this conflicting/competing COS templates. --cos-attr-val COS_ATTR_VAL defines the attribute and value that the template provides. --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl ldifgen roles' usage: dsctl [instance] ldifgen roles [-h] [--type TYPE] [--parent PARENT] [--create-parent] [--filter FILTER] [--role-dn [ROLE_DN ...]] [--ldif-file LDIF_FILE] NAME NAME The Role name. OPTIONS 'dsctl ldifgen roles' --type TYPE The Role type: "managed", "filtered", or "nested". --parent PARENT The DN of the entry to store the Role entry under --create-parent Create the parent entry --filter FILTER A search filter for gathering Role members. Required for a "filtered" role. --role-dn [ROLE_DN ...] A DN of a role entry that should be included in this role. Used for "nested" roles only. --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl ldifgen mod-load' usage: dsctl [instance] ldifgen mod-load [-h] [--create-users] [--delete-users] [--num-users NUM_USERS] [--parent PARENT] [--create-parent] [--add-users ADD_USERS] [--del-users DEL_USERS] [--modrdn-users MODRDN_USERS] [--mod-users MOD_USERS] [--mod-attrs [MOD_ATTRS ...]] [--randomize] [--ldif-file LDIF_FILE] OPTIONS 'dsctl ldifgen mod-load' --create-users Create the entries that will be modified or deleted. By default the script assumes the user entries already exist. --delete-users Delete all the user entries at the end of the LDIF. --num-users NUM_USERS The number of user entries that will be modified or deleted --parent PARENT The DN of the parent entry where the user entries are located. --create-parent Create the parent entry --add-users ADD_USERS The number of additional entries to add during the load. --del-users DEL_USERS The number of entries to delete during the load. --modrdn-users MODRDN_USERS The number of entries to perform a modrdn operation on. --mod-users MOD_USERS The number of entries to modify. --mod-attrs [MOD_ATTRS ...] List of attributes the script will randomly choose from when modifying an entry. The default is "description". --randomize Randomly perform the specified add, mod, delete, and modrdn operations --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl ldifgen nested' usage: dsctl [instance] ldifgen nested [-h] [--num-users NUM_USERS] [--node-limit NODE_LIMIT] [--suffix SUFFIX] [--ldif-file LDIF_FILE] OPTIONS 'dsctl ldifgen nested' --num-users NUM_USERS The total number of user entries to create in the entire LDIF (does not include the container entries). --node-limit NODE_LIMIT The total number of user entries to create under each node/subtree --suffix SUFFIX The suffix DN for the LDIF --ldif-file LDIF_FILE The LDIF file name. Default location is the server's LDIF directory using the name 'ldifgen.ldif' COMMAND 'dsctl dsrc' usage: dsctl [instance] dsrc [-h] {create,modify,delete,display,repl-mon} ... POSITIONAL ARGUMENTS 'dsctl dsrc' dsctl dsrc create Generate the .dsrc file dsctl dsrc modify Modify the .dsrc file dsctl dsrc delete Delete instance configuration from the .dsrc file. dsctl dsrc display Display the contents of the .dsrc file. dsctl dsrc repl-mon Display the contents of the .dsrc file. COMMAND 'dsctl dsrc create' usage: dsctl [instance] dsrc create [-h] [--uri URI] [--basedn BASEDN] [--people-rdn PEOPLE_RDN] [--groups-rdn GROUPS_RDN] [--binddn BINDDN] [--saslmech SASLMECH] [--tls-cacertdir TLS_CACERTDIR] [--tls-cert TLS_CERT] [--tls-key TLS_KEY] [--tls-reqcert TLS_REQCERT] [--starttls] [--pwdfile PWDFILE] [--do-it] OPTIONS 'dsctl dsrc create' --uri URI The URI (LDAP URL) for the Directory Server instance. --basedn BASEDN The default database suffix. --people-rdn PEOPLE_RDN Set the RDN for the 'people' subtree. Default is "ou=people" --groups-rdn GROUPS_RDN Set the RDN for the 'groups' subtree. Default is "ou=groups" --binddn BINDDN The default Bind DN used or authentication. --saslmech SASLMECH The SASL mechanism to use: PLAIN or EXTERNAL. --tls-cacertdir TLS_CACERTDIR The directory containing the Trusted Certificate Authority certificate. --tls-cert TLS_CERT The absolute file name to the server certificate. --tls-key TLS_KEY The absolute file name to the server certificate key. --tls-reqcert TLS_REQCERT Request certificate strength: 'never', 'allow', 'hard' --starttls Use startTLS for connection to the server. --pwdfile PWDFILE The absolute path to a file containing the Bind DN's password. --do-it Create the file without any confirmation. COMMAND 'dsctl dsrc modify' usage: dsctl [instance] dsrc modify [-h] [--uri [URI]] [--basedn [BASEDN]] [--people-rdn [PEOPLE_RDN]] [--groups-rdn [GROUPS_RDN]] [--binddn [BINDDN]] [--saslmech [SASLMECH]] [--tls-cacertdir [TLS_CACERTDIR]] [--tls-cert [TLS_CERT]] [--tls-key [TLS_KEY]] [--tls-reqcert [TLS_REQCERT]] [--starttls] [--cancel-starttls] [--pwdfile [PWDFILE]] [--do-it] OPTIONS 'dsctl dsrc modify' --uri [URI] The URI (LDAP URL) for the Directory Server instance. --basedn [BASEDN] The default database suffix. --people-rdn [PEOPLE_RDN] Sets the RDN used for the 'people' container --groups-rdn [GROUPS_RDN] Sets the RDN used for the 'groups' container --binddn [BINDDN] The default Bind DN used or authentication. --saslmech [SASLMECH] The SASL mechanism to use: PLAIN or EXTERNAL. --tls-cacertdir [TLS_CACERTDIR] The directory containing the Trusted Certificate Authority certificate. --tls-cert [TLS_CERT] The absolute file name to the server certificate. --tls-key [TLS_KEY] The absolute file name to the server certificate key. --tls-reqcert [TLS_REQCERT] Request certificate strength: 'never', 'allow', 'hard' --starttls Use startTLS for connection to the server. --cancel-starttls Do not use startTLS for connection to the server. --pwdfile [PWDFILE] The absolute path to a file containing the Bind DN's password. --do-it Update the file without any confirmation. COMMAND 'dsctl dsrc delete' usage: dsctl [instance] dsrc delete [-h] [--do-it] OPTIONS 'dsctl dsrc delete' --do-it Delete this instance's configuration from the .dsrc file. COMMAND 'dsctl dsrc display' usage: dsctl [instance] dsrc display [-h] COMMAND 'dsctl dsrc repl-mon' usage: dsctl [instance] dsrc repl-mon [-h] [--add-conn ADD_CONN [ADD_CONN ...]] [--del-conn DEL_CONN [DEL_CONN ...]] [--add-alias ADD_ALIAS [ADD_ALIAS ...]] [--del-alias DEL_ALIAS [DEL_ALIAS ...]] OPTIONS 'dsctl dsrc repl-mon' --add-conn ADD_CONN [ADD_CONN ...] Add a replica connection: 'NAME:HOST:PORT:BINDDN:CREDENTIAL' --del-conn DEL_CONN [DEL_CONN ...] delete a replica connection by its NAME --add-alias ADD_ALIAS [ADD_ALIAS ...] Add a host/port alias: 'ALIAS_NAME:HOST:PORT' --del-alias DEL_ALIAS [DEL_ALIAS ...] delete a host/port alias by its ALIAS_NAME COMMAND 'dsctl cockpit' usage: dsctl [instance] cockpit [-h] {enable,open-firewall,disable,close-firewall} ... POSITIONAL ARGUMENTS 'dsctl cockpit' dsctl cockpit enable Enable the Cockpit socket dsctl cockpit open-firewall Open the firewall for the "cockpit" service dsctl cockpit disable Disable the Cockpit socket dsctl cockpit close-firewall Remove the "cockpit" service from the firewall settings COMMAND 'dsctl cockpit enable' usage: dsctl [instance] cockpit enable [-h] COMMAND 'dsctl cockpit open-firewall' usage: dsctl [instance] cockpit open-firewall [-h] [--zone ZONE] OPTIONS 'dsctl cockpit open-firewall' --zone ZONE The firewall zone COMMAND 'dsctl cockpit disable' usage: dsctl [instance] cockpit disable [-h] COMMAND 'dsctl cockpit close-firewall' usage: dsctl [instance] cockpit close-firewall [-h] COMMAND 'dsctl dblib' usage: dsctl [instance] dblib [-h] {bdb2mdb,mdb2bdb,cleanup} ... POSITIONAL ARGUMENTS 'dsctl dblib' dsctl dblib bdb2mdb Migrate bdb databases to lmdb dsctl dblib mdb2bdb Migrate lmdb databases to bdb dsctl dblib cleanup Remove migration ldif file and old database COMMAND 'dsctl dblib bdb2mdb' usage: dsctl [instance] dblib bdb2mdb [-h] [--tmpdir TMPDIR] OPTIONS 'dsctl dblib bdb2mdb' --tmpdir TMPDIR ldif migration files directory path. COMMAND 'dsctl dblib mdb2bdb' usage: dsctl [instance] dblib mdb2bdb [-h] [--tmpdir TMPDIR] OPTIONS 'dsctl dblib mdb2bdb' --tmpdir TMPDIR ldif migration files directory path. COMMAND 'dsctl dblib cleanup' usage: dsctl [instance] dblib cleanup [-h] OPTIONS -v, --verbose Display verbose operation tracing during command execution -j, --json Return result in JSON object -l, --list List available Directory Server instances AUTHOR Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org> DISTRIBUTION The latest version of lib389 may be downloaded from lib389 3.0.1 2024-04-08 DSCTL(1)