NCLHELP.HLB  —  Directory Module, DSA  Characteristics
 Each DSA characteristic attribute is listed below. You can assign
 values (using the SET directive) to all of these attributes except
 for the Version attribute. You can display the current value of
 all of the attributes using the SHOW directive.

 Syntax:

 	SET  DSA <attr> <value> [, ...]
 	SHOW DSA <attr> [, ...]

 where <attr> is the attribute name and <value> is the
 value. You can specify more than one attribute in a single
 directive by separating the attributes with a comma.
 For example:

 	SET  DSA AE TITLE="/C=US/CN=DSA3", PASSWORD="mumble"
 	SHOW DSA AE TITLE, PASSWORD

 You can use the ALL CHARACTERISTICS keywords in a SHOW directive,
 for example:

         SHOW DSA ALL CHARACTERISTICS

 Characteristic attributes can be reset to their default values by
 specifying the characteristic attribute without a value in a SET
 directive. For example, the following command resets the DSA AE
 Title attribute to its default value (no value):

 	SET DSA AE TITLE

1  –  Accounting Facility

 The Accounting Facility characteristic attribute controls whether
 the accounting facility is enabled on a DSA. (Note that previous
 versions of the DSA used an Accounting State attribute. The
 Accounting State attribute has been withdrawn.)

 Syntax:

 	SET DSA ACCOUNTING FACILITY <ON/OFF>
 	SHOW DSA ACCOUNTING FACILITY

 When you enable the accounting facility, the DSA generates the
 Accounting Enabled event. If the accounting facility cannot be
 started, the DSA generates the Accounting Start Failure event. When
 you disable the accounting facility, the DSA generates  the
 Accounting Disabled event.

 The setting of this attribute is maintained when you disable
 and re-enable the DSA, and also when you delete and recreate the DSA.

2  –  Accounting Options

 The Accounting Options characteristic attribute controls the amount
 of information included in Operation records in the accounting file.
 If this attribute is not set, the DSA provides a summary of user
 requests. The information included in Operation records is described
 in HP Enterprise Directory  - Problem Solving.

 If you set this attribute, in addition to summary information,
 the DSA can include the protocol data unit (PDU) of the user
 request and/or the error returned to the user if the operation is
 not successful. The error PDU and request PDU are described in
 ITU-T Recommendation X.511.

 You can set the attribute such that the DSA includes either the PDU
 of a successful user request, the PDU of an error returned in
 response to a user request, both, or neither.

 Syntax:

 	SET DSA ACCOUNTING OPTIONS {REQUESTPDU}
 	SET DSA ACCOUNTING OPTIONS {ERRORPDU}
 	SET DSA ACCOUNTING OPTIONS {REQUESTPDU, ERRORPDU}
 	SET DSA ACCOUNTING OPTIONS {}
         SHOW DSA ACCOUNTING OPTIONS

 To stop the DSA including either the request PDU or the error PDU in
 Operation records, enter the following command:

 	> SET DSA ACCOUNTING_OPTIONS {}

 This attribute has no effect if the Accounting Facility status
 attribute is set to OFF.

3  –  Accounting Rollover Interval

 The Accounting Rollover Interval characteristic attribute controls
 how often the DSA closes the current accounting file and creates a
 new one, that is, rolls over the accounting file. The interval uses
 the accounting rollover start time as its starting point. For
 example, if you set the accounting rollover interval to 6 hours, the
 first accounting file rollover will take place at the time specified
 by the Accounting Rollover Start Time attribute, and the second
 rollover six hours later.

 Syntax:

 	SET DSA ACCOUNTING ROLLOVER INTERVAL <time>
 	SHOW DSA ACCOUNTING ROLLOVER INTERVAL

 where <time> is the required interval specified in binary relative
 time.  For example, to make the DSA  rollover the accounting file
 every twelve and a half hours, enter the following:

 	> SET DSA ACCOUNTING ROLLOVER INTERVAL 12:30:00

 When the DSA rolls over the accounting file, it generates the
 Accounting File Rollover event. You can then process the closed
 accounting files using your decoding and billing utility.

 On Tru64 UNIX systems, accounting files are stored in
 the /var/dxd/accounting directory. On OpenVMS systems, accounting
 files are stored in the directory pointed to by the DXD$ACCOUNTING
 logical.

 Note that accounting files are neither purged nor deleted
 automatically by the DSA.

 The default setting for this characteristic attribute is 12 hours.

 This attribute has no effect if the Accounting Facility
 characteristic attribute is set to OFF.

4  –  Accounting Rollover Last Time

 This characteristic attribute is read only. It indicates the most
 recent time at which the accounting file was rolled over, that is,
 the time at which the previous accounting file was closed and the
 current accounting file created.

 Syntax:

 	SHOW DSA ACCOUNTING ROLLOVER LAST TIME

 The time is displayed in binary absolute time.

 If a rollover has not occurred since the DSA was created, then
 this attribute shows the time that the DSA was created.

5  –  Accounting Rollover Start Time

 This characteristic attribute indicates the first time at which the
 accounting file is to be rolled over, that is, the time at which the
 accounting file is to be closed and a new one created for the first
 time.

 Syntax:

 	SET DSA ACCOUNTING ROLLOVER START TIME <time>
 	SHOW DSA ACCOUNTING ROLLOVER START TIME

 where <time> is the required time specified in binary absolute time.

 For example, if you want the accounting file to be rolled over for
 the first time at 12:00, enter the following:

 	> SET DSA ACCOUNTING ROLLOVER START TIME 12:00:00

 Subsequent accounting file rollovers occur at the interval specified
 by the Accounting Rollover Interval attribute.

 This attribute has no effect if the Accounting Facility characteristic
 attribute is set to OFF.

6  –  Accounting Rollover Window

 The Accounting Rollover Window characteristic attribute defines the
 window for closing the current accounting file and creating a new
 one, that is, for rolling over the accounting file. If the accounting
 facility cannot roll over the accounting file within the time
 specified by the accounting rollover window, it continues to use the
 current accounting file until the next scheduled or unscheduled
 accounting file rollover.

 Syntax:

 	SET DSA ACCOUNTING ROLLOVER WINDOW <time>
 	SHOW DSA ACCOUNTING ROLLOVER WINDOW

 For example, assume the Accounting Rollover Window is set to 30
 minutes, the Accounting Rollover Interval to 6 hours, and the
 Accounting Rollover Start Time to 12:00:00. The accounting facility
 tries to rollover the accounting file at 12:00. If this rollover is
 not started by 12:30:00, the accounting facility abandons the
 attempt and continues to use the current accounting file until the
 next scheduled rollover at 18:00:00.

 When the accounting facility performs a scheduled rollover, that is a
 rollover required by the Accounting Rollover Interval characteristic
 attribute, it checks that no unscheduled rollover has been performed
 within the accounting rollover window. If one has, the scheduled
 rollover is not performed. For example, assume there is a scheduled
 rollover of the accounting file at 12:00:00. Before the scheduled
 rollover is performed, there is an unscheduled rollover at 12:10:00.
 Consequently, the scheduled rollover is not performed.

 The default setting for this characteristic attribute is 1 hour.

 This attribute has no effect if the Accounting Facility characteristic
 attribute is set to OFF.

7  –  Accounting Rollover Unscheduled Time

 You can use this characteristic attribute to force the accounting
 facility to immediately rollover the accounting file, that is, close
 the current accounting file and create a new one. Alternatively, by
 specifying the required time as the qualifier to this characteristic
 attribute, you can force the accounting facility to rollover the
 accounting file at any required time. In either case, this is called
 an unscheduled accounting file rollover.

 Syntax:

 	SET DSA ACCOUNTING ROLLOVER UNSCHEDULED TIME <time>
 	SHOW DSA ACCOUNTING ROLLOVER UNSCHEDULED TIME

 where <time> is the time at which you want the unscheduled accounting
 file rollover to take place in binary absolute time. If you do not
 specify a time the DSA performs accounting file rollover immediately.

 This attribute has no effect if the Accounting Facility
 characteristic attribute is set to OFF.

8  –  AE Title

 The AE Title attribute specifies the application entity title of
 the DSA. The AE Title is unique to this DSA.

 You specify the AE Title using the SET directive. You cannot
 enable  the DSA until it has an AE title. You must make sure that
 the  AE Title attribute is the same as the distinguished name of
 the  directory entry that represents this DSA in the DIT. Refer
 to HP Enterprise Directory  - Management for further details.

 The DSA must be in state OFF when you set the AE Title attribute.

 Syntax:

 	SET  DSA AE TITLE "<name>"
 	SHOW DSA AE TITLE

 Refer to DSA Common_Datatypes for information on the
 syntax of an AE Title.

9  –  Archived Update Log Number

 By default, the DSA will not keep prior versions of the Update Log File that
 it no longer needs. These log files are also used for incremenetal shadowing,
 so removal of earlier update log files may cause some shadowing agreements to
 perform a total update.
 The Archived Update Log Number attribute prevents the DSA from deleting the
 Update Log File. If this attribute is set to a number greater than zero,
 then all update logs files beyond this number will be preserved.

 Syntax:

 	SET  DSA ARCHIVED UPDATE LOG NUMBER <value>
 	SHOW DSA ARCHIVED UPDATE LOG NUMBER

10  –  DIT Check Interval

 The DIT Check Interval attribute defines how often the DSA
 writes its database to disk.

 When you modify directory entries, the DSA applies the
 modifications to the copy of the database that it holds in memory.
 It also keeps a log of all modifications in an update log file.

 After every DIT check interval, the DSA writes the database to disk.
 It then opens a new update log file for the next interval.

 In the event of a system problem, the DSA can recover its database by
 reading it from disk and applying the changes logged in the most recent
 update log file.

 Syntax:
 	SET  DSA DIT CHECK INTERVAL "<time>"
 	SHOW DSA DIT CHECK INTERVAL

 The full syntax for specifying a time is as follows: DDD-HH:MM:SS

 where DDD is days, HH is hours, MM is minutes, and SS is seconds.
 If you specify more than 366 days, the DSA uses 366 days as its
 DIT check interval. The DSA displays the value you specified if
 you use the SHOW directive.

 The default value is "12:00:00", indicating 12 hours. If you have a
 DSA that handles a lot of modifications, then you might want to
 specify a shorter interval. This prevents the update log file from
 becoming too large.

11  –  DIT Check Last Time

 This attribute records the time of the last DIT check, that is,
 the last time that the DSA wrote its database to disk and
 created a new update log. This is a read-only attribute.

 Syntax:
 	SHOW DSA DIT CHECK LAST TIME

12  –  DIT Check Window

 This attribute specifies the duration of the DIT check window.
 If the DSA fails to write its database to disk within this
 window, the attempt is delayed until the next scheduled DIT
 check.

 Syntax:
 	SET DSA DIT CHECK WINDOW "<time>"
 	SHOW DSA DIT CHECK WINDOW

 The full syntax for specifying a time is as follows: DDD-HH:MM:SS

 where DDD is days, HH is hours, MM is minutes, and SS is seconds.
 If you specify more than 366 days, the DSA uses 366 days as its
 DIT check window. The DSA displays the value you specified if
 you use the SHOW directive.

 The default value is 01:00:00, or one hour.

13  –  DIT Check Unscheduled Time

 Use this attribute to specify a time when the DSA must write
 its database to disk and create a new update log file. If
 you specify no time or a time in the past, the DSA writes its
 database immediately. This attribute has no effect on the
 normal schedule.

 Syntax: SET DSA DIT CHECK UNSCHEDULED TIME "<time>"
 	SHOW DSA DIT CHECK UNSCHEDULED TIME

 For example:

  	> SET DSA DIT CHECK UNSCHEDULED TIME "1995-01-05-01:12:00"

14  –  DIT Check Start Time

 This characteristic attribute indicates the first time at which the
 DSA is to write its database to disk and open a new update log file.

 Syntax:

 	SET DSA DIT CHECK START TIME "<time>"
 	SHOW DSA DIT CHECK START TIME

 where <time> is the required time specified in binary absolute
 time. For example, if you want the DSA to write the database for
 the first time at midday, enter the following:

 	> SET DSA DIT CHECK START TIME "12:00"

 The DSA then writes the database to disk at regular intervals
 after the specified start time. The intervals are defined by
 the DIT Check Interval attribute.

15  –  Dereference Aliases On Modify

 The Dereference Aliases on Modify attribute specifies whether
 alias names can be used in modification requests, such as
 the DXIM CREATE ENTRY, MODIFY ENTRY, DELETE ENTRY and
 RENAME ENTRY commands.

 If this attribute is set to TRUE, then alias names can be
 used in modifications if the user so desires. For example, a
 DXIM command line user can use the Dereference Aliases
 control to indicate that they want alias names dereferenced for
 a particular command. This means that the user can refer to the
 entry that they want to modify by means of its distinguished name
 or any valid alias name for that entry.

 If the attribute is set to FALSE, then alias names are never
 dereferenced  for modifications, regardless of user
 specification. This means that  a user must refer to the entry
 they want to modify by means of its  distinguished name. If they
 use an alias name, even a valid one, the command fails.

 The default value is FALSE. (Note that when displaying
 entries, the default behaviour is to dereference aliases.)

 Syntax:

 	SET DSA DEREFERENCE ALIASES ON MODIFY <TRUE/FALSE>

16  –  Examples

 	>  SET DSA PRESENTATION ADDRESS -
         _>  '"DSA"/"DSA"/"DSA"/NS+49002aaa0004000aaaaa,CLNS'

 	> SHOW DSA PRESENTATION ADDRESS

 	The first command assigns a presentation address to the DSA
 	and the second command displays this address.

 	> SET  DSA AE TITLE "/C=US/O=Abacus/CN=DSA1"
 	> SHOW DSA AE TITLE

 	The first command assigns an AE title to the
 	DSA and the second command displays it.

 	> SHOW DSA VERSION, AE TITLE, SIZE LIMIT

 	This command displays the value of three
 	characteristic attributes.

 	> SHOW DSA ALL CHARACTERISTICS

 	This command displays the value of all characteristic
 	attributes.

17  –  Idle Disconnect Timer

 The Idle Disconnect Timer attribute specifies how long a
 connection can remain unused before timing out. The value
 is specified in seconds.

 This ensures that system resources are not being consumed
 by inactive associations. The default value is 300 seconds.

 Syntax:

 	SET DSA IDLE DISCONNECT TIMER <seconds>
 	SHOW DSA IDLE DISCONNECT TIMER

 A value of 0 seconds indicates that idle connections are never
 disconnected by the DSA. This is not advisable.

18  –  Password

 The Password attribute contains the password of the DSA. This
 is used by the DSA to identify itself to another DSA when it
 needs to contact that DSA.

 The Password must match the userPassword attribute of the
 directory entry representing this DSA. If you change the password
 of the DSA, you must do so in both places.

 The password must be between 1 and 128 characters long.
 There is no default value. If a DSA does not have a password,
 it cannot replicate information, and might have difficulty
 passing user requests on to other DSAs.

 Syntax:

 	SET DSA PASSWORD <value>

19  –  LDAP Cipher Suites

 The LDAP Cipher Suites attribute specifies which SSL Cipher Suites will
 be available for SSL connections. If this attribute is not set, then the
 DSA will accept any of the ciphersuites in the SSL default list. This
 attribute allows you to restrict the DSA to a subset of the ciphersuites
 available in SSL. The value is a quoted string, listing each ciphersuite
 to be allowed, separated by a ':'.

 The DSA must be in state OFF for you to set this attribute.

 Syntax:
 	SET DSA LDAP CIPHERSUITE "<value>:<value>..."
 	SHOW DSA LDAP CIPHERSUITE

20  –  LDAP Port

 The LDAP Port attribute is the port number that the DSA listens on
 for LDAP protocol, when you enable the DSA.

 You must set the LDAP Port to a non-zero integer, while the DSA
 is in the OFF state. If the port number is set to zero, the DSA
 does not listen for LDAP requests.

 Syntax:
 	SET DSA LDAP PORT <value>
 	SHOW DSA LDAP PORT

21  –  LDAP Security Protocol

 Specify the security protocol to be used on this port. The DSA must be in
 state OFF, before you can set this attribute.

 Syntax:
 	SET DSA LDAP SECURITY PROTOCOL
 				<"SSLv2"/"SSLv3"/"SSLv23"/"TLSv1">
 	SHOW DSA LDAP SECURITY PROTOCOL

22  –  Presentation Address

 You cannot enable the DSA until it has a valid presentation
 address. The DSA must be in the OFF state when you set its
 Presentation Address attribute. Note that the easiest way to
 set a DSA's presentation address is to use the DSA
 configuration procedure.

 Syntax:
 	SET DSA PRESENTATION ADDRESS <address>
 	SHOW DSA PRESENTATION ADDRESS

 Quote the entire presentation address using the ' character.
 Do not attempt to break the presentation address across multiple
 command lines. Either use a wide window, or simply allow the
 presentation address to wrap.

 Refer to HP Enterprise Directory  - Management for
 details of how to use the DSA configuration procedure to set a DSA's
 presentation address.

 Refer to DSA Common_Datatypes for further information
 on the syntax of the Presentation Address attribute.

23  –  Private Key Passphrase

 If you want use SSL on LDAP connections to protect the security of the
 authentication phase, you need to obtain a certificate for the DSA.
 The certificate will have a Private Key that the DSA can use to validate
 the certificate exchange. This Private Key is usually encrypted using a
 pass phrase chosen by the user. If you are using SSL, you need to obtain
 a certificate and private key for the DSA in PEM format, either from a
 Certificate Authority or from SSL and store these in the DSA's directory
 area as DSA-certificate.pem and DSA-private-key.pem. You also need to tell
 the DSA what is the passphrase for the private key, by setting the PRIVATE
 KEY PASSPHRASE attribute. This is a password attribute, so you cannot SHOW
 it.

 Syntax:
 	SET DSA PRIVATE KEY PASSPHRASE "<value>"

24  –  Prohibit Chaining

 The Prohibit Chaining attribute specifies whether the DSA is
 allowed to communicate with other DSAs when attempting to satisfy
 user requests. Communication between DSAs is called chaining.

 The DSA must be in state OFF when you set this attribute.

 Syntax:
 	SET DSA PROHIBIT CHAINING <TRUE/FALSE>

 To prohibit chaining, specify the value TRUE; otherwise the
 value specified by the user or the user application is used. For
 example,  a user of the DXIM command line interface can use the
 No Chaining control.

 If a DSA is prohibited from communicating with other DSAs, then
 it provides the user or the application with a "continuation
 reference" or a "referral" instead. These identify which DSA(s)
 would have been contacted, and provide the user with the
 information they require to make the connection(s) directly if
 they want to. For ease of use, it is usually preferable not to
 prohibit chaining.

 Note that prohibiting chaining does not prevent DSAs from
 connecting to other DSAs for other reasons, such as replication.

25  –  Prohibit DECnet Transport

 The Prohibit DECnet Transport attribute specifies whether the DSA can use
 the DECnet OSI Transport protocol to communicate with DUAs and other DSAs.

 If the use of DECnet OSI Transport protocol is prohibited, then all
 communication will use the DSA's private RFC1006 implementation rather than
 DECnet's transports. If DECnet is running you will most likely not be able
 to use TCP/IP port 102 as DECnet will have allocated it.

 The DSA must be in state OFF when you set this attribute.

 Syntax:
 	SET  DSA PROHIBIT DECNET TRANSPORT <TRUE/FALSE>
 	SHOW DSA PROHIBIT DECNET TRANSPORT

26  –  Read Only DSA NSAPs

 The Read Only DSA NSAPs attribute identifies one or more DSAs
 that  are allowed to contact this DSA and perform interrogations
 on behalf of their users. Each DSA is represented by the NSAP
 value of its  presentation address.

 Syntax:

 	SET DSA READ ONLY DSA NSAPS {<address>, ....}

 where <address> is the NSAP address, for example:

 	SET DSA READ ONLY DSA NSAPS {%x49002aaa00040008aa21}

 You can specify the leading characters of an NSAP to indicate
 that read-only access is allowed for any DSA using an NSAP
 beginning with that sequence of characters. For example:

 	SET DSA READ ONLY DSA NSAPS {%x49002a}

 The default value is an empty list of NSAP addresses, indicating
 that all NSAPs are allowed. If the attribute specifies one or more
 NSAPs, then only DSAs using those NSAPs are allowed to perform
 interrogations of this DSA.

 Note that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is treated as a read-only DSA for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

27  –  Read Only DSA Names

 The Read Only DSA Names attribute lists the AE title of each DSA
 allowed to access this DSA to perform interrogations on behalf of
 their users.

 Syntax:
 	SET DSA READ ONLY DSA NAMES {<aetitle>, ....}

 where <aetitle> is the AE title of a DSA. For example:

 	"/C=US/O=Abacus/OU=Sales/CN=DSA1"

 Refer to DSA Common_Datatypes for more information
 on how to specify an AE title.

 The default value is an empty list of AE titles, indicating
 that any DSA is allowed to interrogate this DSA (subject to other
 controls). If one or more AE titles are specified in this
 attribute, then only those DSAs are allowed to interrogate this DSA.

 Note also that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is treated as a read-only DSA for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

28  –  Reader NSAPs

 The Reader NSAPs attribute lists the NSAP addresses
 that directory applications can use to access the DSA and perform
 interrogations.

 Note that this is not the recommended way to implement controls
 on user access to directory information. Refer to HP Enterprise
 Directory  - Management for access control advice.

 Syntax:
 	SET DSA READER NSAPS {<address>, ....}

 where <address> is the NSAP address, for example:

 	SET DSA READER NSAPS {%x49002aaa00040008aa21}

 You can specify the leading characters of an NSAP to indicate
 that read-only access is allowed for any application using an
 NSAP beginning with that sequence of characters. For example:

 	SET DSA READER NSAPS {%x49002a}

 The default value is an empty set of NSAP addresses, indicating
 that applications can use any NSAP.

 Note that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is allowed read access for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

29  –  Reader Names

 The Reader Names attribute lists the distinguished names of
 users permitted to access the DSA and perform interrogations.

 Note that this is not the recommended way to implement controls
 on user access to directory information. Refer to HP Enterprise
 Directory  - Management for access control advice.

 Syntax:
 	SET DSA READER NAMES {<name>, ....}

 where <name> is the distinguished name of a user, for example:

 	"/C=US/O=Abacus/OU=Sales/CN='Jon Smith'"

 Refer to DSA Common_Datatypes for more information
 on how to specify a distinguished name.

 If the attribute contains no names, then all users can
 interrogate the DSA (subject to access controls, and to the
 setting of the Reader NSAPs and the Writer Names and
 Writer NSAPs attributes).

 The default value is an empty list of distinguished names,
 allowing all users to read information, subject to other
 attributes and access controls.

 Note that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is allowed read access for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

30  –  Schema Check On Modify

 The Schema Check on Modify attribute specifies whether the DSA
 checks modifications for conformance with the schema.

 Syntax:
 	SET DSA SCHEMA CHECK ON MODIFY <TRUE/FALSE>

 If you do not want the DSA to use the schema to ensure that
 modifications are valid, set this attribute to FALSE.

 Note that if directory modifications are not checked against
 the schema, you can easily corrupt your directory information.
 It is not advisable to set this attribute to FALSE unless you
 are sure that all requests for modification will be valid.

 One reason to set this attribute to FALSE temporarily might be
 because you want to use a script file to execute a large number
 of commands which you are sure are all valid. The DSA can process
 such a file more quickly, but you must be confident that the file
 contains no invalid commands. For example, if the file contains
 a request to add an attribute to an entry for which it is not
 allowed, then you will have created an invalid entry.

31  –  Size Limit

 The Size Limit attribute specifies the maximum number of entries
 that can be returned when satisfying a user request. Most
 directory operations only return one entry, but some, such as
 searches, can return many entries.

 Syntax:
 	SET DSA SIZE LIMIT <number>

 The limit specified using this characteristic attribute overrides
 the value specified by the user application, if the application
 requests a larger number.

 The default value is 0, indicating that there is no limit on the
 number of entries that can be returned unless the application
 specifies one.

32  –  SSL LDAP Cipher Suites

 The SSL LDAP Cipher Suites attribute specifies which SSL Cipher Suites will
 be available for SSL connections through the dedicated SSL LDAP port. If this
 attribute is not set, then the DSA will accept any of the ciphersuites in
 the SSL default list. This attribute allows you to restrict the DSA to a
 subset of the ciphersuites available in SSL. The value is a quoted string,
 listing each ciphersuite to be allowed, separated by a ':'.

 The DSA must be in state OFF for you to set this attribute.

 Syntax:
 	SET  DSA SSL LDAP CIPHERSUITES "<value>:<value>..."
 	SHOW DSA SSL LDAP CIPHERSUITES

33  –  SSL LDAP Port

 The SSL LDAP Port attribute is the port number of the dedicated SSL LDAP port
 that the DSA listens on for SSL messages, when you enable the DSA.
 Unlike the LDAP port, which can establish LDAP connections with or without
 SSL, the SSL_LDAP_port will refuse all LDAP connections that do not specify
 SSL.

 You must set the SSL LDAP Port to a non-zero integer, while the DSA
 is in the OFF state. If the port number is zero, the DSA does not listen
 for SSL requests.

 Syntax:
 	SET  DSA SSL LDAP PORT <value>
 	SHOW DSA SSL LDAP PORT

34  –  SSL LDAP Security Protocol

 Specify the security protocol to be used on the SSL LDAP port. The DSA must
 be in state OFF, when you set this attribute.

 Syntax:
 	SET  DSA SSL LDAP SECURITY PROTOCOL
 				<"SSLv2"/"SSLv3"/"SSLv23"/"TLSv1">
 	SHOW DSA SSL LDAP SECURITY PROTOCOL

35  –  SSL State

 The overall policy for SSL is controlled by the setting of the
 DSA characteristic SSL STATE.

 Syntax:

 	SET  DSA SSL STATE <state>
 	SHOW DSA SSL STATE

 Values for this characteristic are:

 "On"  	     SSL is enabled.

 "Off"  	     SSL is not enabled. SSL negotiation on the LDAP port
 	     will be refused.

 "Mandatory"  SSL is enabled and SSL must be negotiated on the LDAP
 	     port before any authenticated bind operation. Only
 	     unauthenticated operations can be performed on the
 	     normal LDAP port before SSL negotiation.

36  –  Time Limit

 The Time Limit attribute specifies the time, in seconds, within
 which a directory request must be completed. The value specified
 using this characteristic attribute limits the ability of user
 applications to specify a time limit.

 Syntax:
 	SET DSA TIME LIMIT <seconds>

 The default value is 0, indicating that there is no time
 limit unless the application specifies one.

 The DSA makes frequent checks to see whether it has exceeded the
 time limit, and stops processing a request as soon as one of
 these checks indicates that the time limit has been exceeded. Any
 results that have been found within the time limit are presented
 to the user, with a Partial Results Displayed message.

37  –  Trusted DSA NSAPs

 The Trusted DSA NSAPs attribute contains a list of NSAP
 addresses through which DSAs can contact this DSA and perform
 chained read and chained modify operations.

 Syntax:
 	SET DSA TRUSTED DSA NSAPS {<address>, ....}

 where <address> is the NSAP address, for example:

 	SET DSA TRUSTED DSA NSAPS {%x49002aaa00040008aa21}

 The default value is an empty set of NSAP addresses, indicating
 that all NSAPs are allowed.

 You can specify the leading characters of an NSAP to indicate
 that trusted access is allowed for any DSA using an
 NSAP beginning with that sequence of characters. For example:

 	SET DSA TRUSTED DSA NSAPS {%x49002a}

 The default value is an empty set of NSAP addresses, indicating
 that DSAs can use any NSAP.

 Trusted access is required by DSAs that are attempting to chain
 a requested for an authenticated user. This DSA must decide
 whether the calling DSA is to be trusted when it claims to have
 authenticated the user satisfactorily.

 Note that this attribute has no effect on DSA communications
 for other purposes, such as replication.

 Note also that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is treated as a trusted DSA for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

38  –  Trusted DSA Names

 The Trusted DSA Names attribute can contain a list of trusted
 DSAs.

 Syntax:
 	SET DSA TRUSTED DSA NAMES {<aetitle>, ....}

 where <aetitle> is the AE title of a DSA that is to be trusted,
 for example:

 	"/C=US/O=Abacus/OU=Sales/CN=DSA1"

 The list contains the AE title of each trusted DSA.
 Refer to DSA Common_Datatypes for more information
 on how to specify an AE title.

 The default value is an empty list of AE titles, which means
 that this DSA trusts no other DSAs.

 Trust enables this DSA to accept another DSA's claim that
 a user has authenticated satisfactorily. This enables chained
 requests to be satisfied, rather than requiring a user to
 authenticate specifically to the DSA that holds the information
 they want to access.

 Note that this attribute is not the recommended way to implement
 trust between DSAs. Refer to the management guide for details of
 how to create directory entries to represent trusted DSAs.

 Note also that this attribute has no effect on DSA communications
 for other purposes, such as replication.

 Note also that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is treated as a trusted DSA for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

39  –  Version

 The Version attribute displays the version number of the DSA.
 The value is read-only.

 Syntax:
 	SHOW DSA VERSION

40  –  Volatile Modifications

 The Volatile Modifications attribute specifies whether the DSA
 writes all modifications to disk immediately, or delays writing
 modifications to disk.

 Syntax:

 	SET DSA VOLATILE MODIFICATIONS <TRUE/FALSE>

 If the attribute is set to FALSE, then the DSA always writes
 modifications to disk immediately after applying them to its
 in-memory database. This ensures that modifications are never
 lost, but reduces DSA performance for modification operations.

 If the attribute is set to TRUE, then modifications are written
 to memory immediately, but may not be written to disk for up to
 fifteen seconds. This means it is possible that some
 modifications may be lost if a DSA exits abnormally. However,
 the DSA can process volatile modifications much faster than
 non-volatile modifications.

 The default value is FALSE. HP suggests that you set the
 attribute to TRUE, unless you have a strong requirement to
 ensure that modifications are never lost. The attribute can be
 set at any time, regardless of the state of the DSA.

41  –  Writer NSAPs

 This attribute lists the NSAP addresses that directory
 applications can use to communicate with this DSA and modify
 directory information. Any application attempting to use
 an unlisted NSAP is not allowed to modify information held by
 this DSA. It might be able to read information, subject to
 the Reader_NSAPs attribute. Having write access automatically
 gives read access as well.

 Note that this attribute is not the recommended way to implement
 access control. Refer to HP Enterprise Directory
 - Management for access control advice.

 Syntax:
 	SET DSA WRITER NSAPS {<address>, ....}

 where <address> is the NSAP address, for example:

 	SET DSA WRITER NSAPS {%x49002aaa00040008aa21}

 You can specify the leading characters of an NSAP to indicate
 that access is allowed for any application using an NSAP beginning
 with that sequence of characters. For example:

 	SET DSA WRITER NSAPS {%x49002a}

 The default value is an empty set of NSAP addresses, indicating
 that an application can use any NSAP.

 Note also that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is allowed write access for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.

42  –  Writer Names

 The Writer Names attribute lists the distinguished
 names of users permitted to modify information held by this DSA.
 Having write access automatically gives read access as well.

 Syntax:
 	SET DSA WRITER NAMES {<name>, ....}

 where <name> is the distinguished name of a user, for example:

 	"/C=US/O=Abacus/OU=Sales/CN='Jon Smith'"

 Refer to DSA Common_Datatypes for more information
 on how to specify a distinguished name.

 Note that this is not the recommended way to implement controls
 on user access to directory information. Refer to HP Enterprise
 Directory  - Management for access control advice.

 If the attribute specifies no names, then the DSA places no
 restriction on access, (subject to access controls, and to the
 settings of Writer NSAPs, Reader Names, and Reader NSAPs
 characteristic attributes). However, if any names are listed,
 then only those users have access to information.

 The default value is an empty set of distinguished names, allowing
 all users to access information, subject to other attributes and
 access controls.

 Note also that the DSA refers to the value of this attribute
 whenever it receives a new connection. Once a connection is
 established, the caller is allowed write access for as
 long as the connection lasts. Changing the value of the
 attribute has no effect on existing connections, only on
 subsequent connections.
Close Help