Environment Variables

This chapter provides information about DirX Directory and system environment variables.

Setting Environment Variables

This section provides information on how to set environment variables on Windows and Linux systems.

Using the DirX Directory ini File

In DirX Directory, it is possible to specify all environment variables in the file install_path*/conf/dirxenv.ini*.(See section ini-File for Setting of Environment Variables in chapter DirX Directory Files for details.) At start-up time, all DirX Directory processes read this ini file.All environment variables specified in this file overwrite a previously-set value.

Windows Systems

On Windows systems, do the following to set environment variables:

Click Start.
Search for Edit the system environment variables, and then click it.

After modifying the environment variables you must re-start the DirX Directory Service that the modifications take affect.Depending on the operating system version, you must reboot your computer for the modifications to take effect.

Linux Systems

All environment variables used by the server must be defined in the file .dirxrc.

To set environment variables, perform the following steps:

Edit the file install_path/.dirxrc and insert the lines that specify the values of the environment variable and export it in the following format:

environment_variable_name=value1[:_value2_:_…]
export _environment_variable_name

Example
```
DIRX_TMP=/var/tmp
export DIRX_TMP
```
Re-start the DirX Directory Service so that the modifications take effect.

DirX Directory Environment Variables

This section is a table that describes the DirX Directory environment variables.The table includes the variable name and description, the DirX Directory commands and processes that use the variable, and the variable default value, which is used if the variable is not set.

Name Description Used by… Default

Name	Description	Used by…	Default
DIRX_ABBR_FILE	Supplies the name of the attribute abbreviation file in the format: file1[:file2:…] (on Linux systems) file1[;file2;…] (on Windows systems) If more than one abbreviation file is specified, the colon (:) is used as separator between different filenames on Linux systems. On Windows systems, the semicolon (;) is used as separator. Example: `dirxabbr:dirxabbr-ext-meta (Linux systems)` `dirxabbr;dirxabbr-ext-meta (Windows systems)`	The dirxadm, dirxcp and dirxauddecode commands	$DIRX_INST_PATH/ client/conf/dirxabbr.
DIRX_ADDITIONAL_LDAP_SERVERS	Supplies the common name(s) of LDAP configuration subentries and RPC port number(s) for additional LDAP servers to be started, in the format subentry_name+RPC_port_number[:…]. (If you are starting more than one additional LDAP server, use the colon as a separator between subentry+RPC port pairs.) Example: `ldapconf2+6998:ldapconf3+6997`	The DirX Directory processes starting the Directory Service (dirxadm sys start operation).
DIRX_BLACKBOX_SIZE	Specifies the number of last recently incoming correct LDAP PDUs representing client requests that are stored in the LDAP server’s black box. This black box can be used to analyze the history of the LDAP server operations.	The LDAP server	0 (PDUs)
DIRX_CLCFG_FILE	Supplies the name of the DirX Directory client configuration file and the LDAP server configuration file.	The dirxcp command and the LDAP server	For the dirxcp command:* $DIRX_INST_PATH/ client/conf/dirxcl.cfg*. For LDAP server processes: $DIR_INST_PATH/ ldap/conf/dirxldap.cfg
DIRX_CONLIMIT	Specifies the maximum number of connections supported by the server processes. The maximum value for this environment variable is 4000. (For OSI communication, the maximum and default value is 128.)	The DSA process and the LDAP server	4000
DIRX_CTX_LIMIT	Specifies the maximum memory size of the DirX Directory processes in MB. This value does not contain the size of the DBAM database buffer cache. (See DIRX_DSA_CACHE_SIZE for details.) Due to platform restrictions, large search results may exceed this limit. In this case, DAP/LDAP clients should make use of simple page search operations to reduce memory usage in the DSA process. For dirxload and the DSA process: For 32 bit: On Windows, DIRX_CTX_LIMIT + DIRX_DSA_CACHE_SIZE must be lower or equal 1638; on Linux, lower or equal 3276. On 64 bit platforms, the restriction of 2 or 4 GB is no longer valid. The memory limit assigned to the DirX Directory processes depends on the main memory that is physically available and on the number of applications that need to share this memory.	All DirX Directory processes	For the dirxload command and the DSA process: On Windows 32 bit: 1638 - DIRX_DSA_CACHE_SIZE (if the result is greater than 0) On Linux 32 bit: 3276 - DIRX_DSA_CACHE_SIZE (if the result is greater than 0) For the LDAP server: 1600 For the dirxcp, dirxadm and other commands: unlimited.
DIRX_CTX_LIMIT_SINGLE	Specifies the maximum size of a single memory CTX in MB. Increase the default value if huge operations are expected, for example an add operation containing a big number of huge attributes.	All DirX Directory processes	The default maximum single CTX size is 50 % of DIRX_CTX_LIMIT or DIRX_LDAP_CTX_LIMIT respectively
DIRX_CTX_MAX_SINGLE_ALLOC_MEMSIZE	Specifies the maximum single allocation size within a memory context in MB. Increase this value if operations containing a real huge attribute value is expected, for example adding one huge certificate-revocation-list. Consider adjusting DIRX_CTX_LIMIT, DIRX_LDAP_CTX_LIMIT and DIRX_CTX_LIMIT_SINGLE in the event that the maximum size for a single allocation is increased.	All DirX Directory processes	256 MB
DIRX_DEFAULT_LDAP_SERVER	Supplies the common name of the LDAP configuration subentry of the first / default LDAP server to be started if not the default LDAP configuration subentry with the name ldapConfiguration should be used. Example: `ldapServerConfig`	The DirX Directory processes starting the Directory Service (dirxadm sys start operation).	ldapConfiguration
DIRX_DEL_TIME	Specifies the time threshold (in hours) for trace and exception message file deletion. Any temporary file, for example the schema dump file, and any trace or exception file (LOG, USR, EXC* in the trace file directories), that was created more than DIRX_DEL_TIME before DirX Directory process startup will be deleted.	All DirX Directory processes	No trace file is deleted.
DIRX_DIRSTR_CHOICE	Specifies the string representation for attribute values with Directory String syntax for DAP binds. Valid values are: T61 - Attribute values with Directory String syntax are represented in T61 format BMP - Attribute values with Directory String syntax are represented in BMP format UTF8 - Attribute values with Directory String syntax are represented in UTF-8 format	The dirxcp, the dirxadm command, and the LDAP server	Attribute values are represented in UTF8 format.
DIRX_DONT_CHECK_DN_IN_CERT	By setting this environment to any value, the syntax check of the Distinguished Names contained in certificates is skipped. This may be useful if the DNs contain attribute types for the naming attributes that are not in the DirX Directory schema. This may occur because certificates are created and encoded by external applications, for example, Certification Authorities.	The dirxload command and the DSA process	Not set. (Do not omit the syntax checks of DNs contained in certificates)
DIRX_DSA_CACHE_DISABLED	Disables (TRUE) or enables (FALSE) the DBAM database buffer cache.	The dirxload command and the DSA process	The DBAM cache is enabled (FALSE).
DIRX_DSA_CACHE_SIZE	Specifies the size of the DBAM database buffer cache in megabytes (MB), from 256 to 2048 (1 TB on 64-bit platforms). On Windows 32 bit, DIRX_CTX_LIMIT + DIRX_DSA_CACHE_SIZE must be lower or equal 1638; on Linux, lower or equal 3276. On 64-bit platforms, the restriction of 2 or 4 GB is no longer valid. The memory limit assigned to the DirX Directory processes depends on the main memory that is physically available and on the number of applications that need to share this memory.	The dirxload command and the DSA process	256 Note that this value is too low for large databases (greater than 2 million entries). It is recommended to use at least 512 MB.
DIRX_DSA_CHECKPOINT_SIZE	Specifies the number of transactions per DBAM buffer cache checkpoint, from 1 to 100000. The higher this number, the more main memory is required.	The dirxload command and the DSA process	10000
DIRX_DSA_DISP_TUBM	Specifies the behavior of DSA in case of shadowing agreements with total update by media. The value 0 disables generation of the backup signature. The value 1 enables it.	The DSA process	1 (Enables generation of the backup signature.)
DIRX_DSA_EXTOP_ADM_BIND	Specifies the dse bind operation in string format. (See dse bind operation for details.) Example: `bind -user /o=My-company/cn=admin -pass dirx -auth simple`	The DSA process
DIRX_DSA_NAME	Specifies the DSA’s distinguished name in LDAP format. (See section titled Distinguished Names in chapter DirX Directory String Representation for LDAP Binds in DirX Directory Syntaxes and Attributes for details.) Incorrect administration of this environment variable will result in a DIRX_DSA_NAME conflict and the DSA will not be able to run. Example: `cn=DSA1,o=My-Company`	The DSA process	cn=DirX-DSA-hostname
DIRX_DSA_OB_SHOW_DISPLAY_DEF_VALUES	Specifies whether the dirxadm sob show operation displays the default values for the sob_initiator_policies. (See section SOB-Policies in chapter DirX Directory String Representation for DAP Binds in the DirX Directory Syntaxes and Attributes for details.) Specify one of the following values: 0—do not display default values 1—display default values	The DSA process	1 (Display default values.)
DIRX_DSA_OUTSOURCED_ATTR_MIN_LENGTH	Specifies the minimum size of all values of an outsourced attribute at which the values are stored in extra DBAM blocks.	The dirxload command and the DSA process	64980 bytes
DIRX_DSA_REPLACE_INTERVAL	Specifies the page replace check interval of the DBAM cache, in seconds. Specify a value between 1 and 60 (seconds). The environment variable DIRX_DSA_REPLACE_MODE specifies the DBAM cache filling degree.	The dirxload command and the DSA process	10
DIRX_DSA_REPLACE_MODE	Specifies the percentage of used DBAM cache space at which the DSA or dirxload command starts to replace pages in the DBAM cache. Specify a value between 0 % and 100 %. A value of 0 disables the effect of the filling degree. Replacing pages in the DBAM cache is controlled only by DIRX_DSA_REPLACE_INTERVAL. Values between 90 and 100 disable the time triggered page replace mechanism. In this case pages are replaced only in the event of a buffer cache shortage. When specifying values between 1 and 89 replacing pages in the DBAM cache is controlled by DIRX_DSA_REPLACE_INTERVAL and DIRX_DSA_REPLACE_MODE. For best performance values lower than 70 are not recommended.	The dirxload command and the DSA process	85
DIRX_DSA_STATISTIC_INTERVAL	Specifies the interval (in number of operations) at which statistics and/or performance data should be written to the trace file install_path/Server/log/dsasapprocess_id.txt, from 1 to 2³²-1. This variable is only evaluated when DIRX_DSA_STATISTIC_MODE is set to a value.	The dirxload command and the DSA process	100000
DIRX_DSA_STATISTIC_MODE	Specifies whether statistics and/or performance data is collected. Specify one of the following values: 1—collect statistical data 2—collect performance data 3—collect both statistical and performance data	The dirxload command and the DSA process	Unspecified.
DIRX_DSA_STATISTIC_RESET	Specifies whether the statistics counters are reset after writing statistic data to the trace file. (See also DIRX_DSA_STATISTIC_INTERVAL) Specify one of the following values: 0—don’t reset counters 1—reset counters	The dirxload command and the DSA process	0
DIRX_DSA_SYNC_TIMEOUT	Specifies the maximum time in seconds that a master DSA waits for an incremental update result from a synchronous consumer DSA.	The DSA process	5 seconds
DIRX_DSA_TOTP_ISSUER	Specifies the provider or service associated with a DirX Directory time-based one-time password (TOTP) secret for a user in a TOTP two-factor authentication (2FA) configuration. When this environment variable is set, the DSA inserts the specified string into the TOTP secret it creates for a user; otherwise, the DSA uses the string DirX. The TOTP authenticator app on the user side typically displays the issuer string along with the user’s 6-digit TOTP.	The DSA process	DirX
DIRX_DSA_TOTP_PERIOD	Specifies the validity period in seconds for time-based onetime passwords (TOTPs) issued by the authenticator app in a DirX Directory twofactor authentication configuration. When this value is reached, the authenticator app generates a new TOTP for the user.	The DSA process	30 seconds
DIRX_FORCE_SYNC_CONSUMER	Forces a master DSA to accept update operations only if at least one synchronous consumer DSA is online and its data synchronicity status is set to TRUE. If this condition is not met, the master DSA is to reject update operations with the error code “unwilling to perform the operation”. Example: DIRX_FORCE_SYNC_CONSUMER=1	The DSA process
DIRX_GLOBAL_PPO_STATES	Specifies whether password policy-related state changes are effective only on the DSA where the bind operation occurred or whether the state changes are distributed and replicated to all DSAs within a floating master scenario (See also the section “Password Policies in a Shadow Configuration” in the DirX Directory Administration Guide) Specify one of the following values: 0—local password policy states 1—global password policy states	The DSA process	0
DIRX_HOST_NAME	Specifies the host name of the system. In the event that there are multiple host names for a system you must specify this environment variable. The value is used to retrieve the IP address of the host.	The DSA process
DIRX_INST_PATH	Supplies the pathname of the base directory in which DirX Directory is installed.	All DirX Directory processes	/opt/dirx or the user’s home directory (on Linux systems) C:\Program Files\ DirX\Directory (on Windows systems)
DIRX_IP_STACK	Specifies the IP version of incoming traffic for which the DirX Directory servers listen. Specify one of the following values: 4 - IP version is IPv4 (default) 6 - IP version is IPv6 ALL - IP version is IPv4 and IPv6 (only for dual-stack machines)	The DSA process and the LDAP server	4
DIRX_KEY3DB_FILE	Specifies the full pathname of the file that contains the Private Key used for SASL binds with the mechanism EXTERNAL. (See section Key Database for details.)	The dirxcp obj bind command	When this environment variable is not set, the file $DIRX_INST_PATH/ client/conf/key3.db is used.
DIRX_LAMEVENT	Specifies the number of entries after that an event message is written reporting the progess of writing a total LDIF content file. The value must be greater than or equal to 1000. If a value lower than 1000 is specified, an event message is written after writing 1000 entries to the LDIF file. The DSA always writes an event message when starting and completing writing a total LDIF content file. Example: `DIRX_LAMEVENT=5000` The DSA writes an event message each time it has written 5000 entries to the LDIF file.	The DSA process	No processing event messages are written.
DIRX_LDAP_AUTO_DISABLE_FAILING_DSA	Specifies the number of seconds for which the LDAP server will temporarily disable a failing DSA from its active contact DSA table.	The LDAP server	60
DIRX_LDAP_CACHE_ALLOWED_USER	Specifies DNs of users that must perform the search operation in order to store the search result in the LDAP cache. Multiple DNs must be separated by a colon :. The specified DNs must not contain non-ASCII characters or the colon : character. The LDAP server ignores the case for all RDNs. The full user DN must be listed in the environment variable. Search results of requests performed by a user whose DN does not match any of the DNs listed in the environment variable are not stored in the LDAP cache. Example: `DIRX_LDAP_CACHE_ALLOWED_USER=cn=wf-1,o=my-company:cn=wf-3,o=my-company`	The LDAP server	Absent The LDAP server stores search results of all users in the cache.
DIRX_LDAP_CACHE_BANNED_BASE_OBJ	Specifies DNs that direct the LDAP server not to store a search result in the cache if the DN matches the base object in the corresponding search request. Multiple DNs must be separated by a colon :. The specified DNs must not contain non-ASCII characters or the colon : character. The LDAP server ignores the case for all RDNs. The full base object DN must be listed in the environment variable. Example: `DIRX_LDAP_CACHE_BANNED_BASE_OBJ=OU=conf,O=my-company:CN=process,OU=conf,O=my-company`	The LDAP server	Absent The LDAP server stores search results of all users in the cache.
DIRX_LDAP_CACHE_BANNED_REQ_ATTR	Specifies the attribute types that direct the LDAP server not to store a search result in the cache if the attribute type is listed in the requested attributes of the corresponding search request. Multiple attribute types must be separated by a colon :. The shortcuts *, +** and @ cannot be specified and are not evaluated when they are contained in the request; that is, if, for example, the attribute cn is contained in the list of banned attribute types and in a search result that was generated by a search request with * as the requested attribute, the LDAP server stores this search result in the cache. Example: `DIRX_LDAP_CACHE_BANNED_REQ_ATTR=dxrRole:title`	The LDAP server	Absent The LDAP server stores search results of all users in the cache.
DIRX_LDAP_CTX_LIMIT	Specifies the maximum memory size of the LDAP server (dirxldapv3) process in MB. The LDAP server uses this memory for the operation threads and the LDAP cache. By specifying this environment variable, a CTX limit setting different from the one of the DSA process is established.	The LDAP server	The value of DIRX_CTX_LIMIT.
DIRX_LDAP_HOST_NAME	Specifies the host name of the system. If there are multiple host names for a system, you must specify this environment variable. The value is used to retrieve the IP address of the host. It can be used to assign one specific of multiple IP addresses for the LDAP server RPC.	The LDAP server process	Empty The LDAP server establishes its RPC ports for the IP address that belongs to the host named in the function hostname.
DIRX_LDAP_LISTEN_IP	Specifies exactly one IP address over which clients can bind to the LDAP server. It has the same effect as the configuration attribute ldapListenIPList.	The LDAP server process	all The LDAP server establishes its ports (plain and SSL) for any available IP address of the host.
DIRX_LDAP_IGNORE_CACHEABLE_FLAG	Specifies whether results of chained searches are stored in the LDAP cache. Valid values are: 1 - Store results of chained searches in the LDAP cache. 0 - Do not store results of chained searches in the LDAP cache.	The LDAP server process	0 (Do not store results of chained searches.)
DIRX_LDAP_PMAP_PORT	Supplies the port number of the portmapper for the RPC connection between LDAP server and dirxadm. You should use DIRX_LDAP_PMAP_PORT only if there is a conflict for the default port number on your system.	The LDAP server process and dirxadm	6999
DIRX_LDAP_RPC_START_PORT	Supplies the port number of the LDAP server’s RPC interface.	The LDAP server process	6200
DIRX_LDAP_SERVER_DN	Supplies the Common Name (CN) attribute value of the LDAP server. The LDAP server uses this name to perform the initial DSA bind. Example: `DIRX_LDAP_SERVER_DN=LDAPServer`	The LDAP server process	DirX-LdapServerV3
DIRX_LDAP_SSL_EXPIRY_WARN_TIME	Specifies the time in number of days that the LDAP server starts sending out warnings if its own certificate is due to expire. A value of 0 switches off the warnings. The LDAP server writes the warnings to the LDAP server exception log up to 10 times. Expiry is checked at every SSL handshake (LDAP SSL-Bind).	The LDAP server process	30
DIRX_LDIF_SPLIT	Controls the size of the LDIF file(s) that a DSA writes when processing an LDIF agreement: YES – the file is split into one or more files of (approximately) 1GB. This is the default behavior. NO – the LDIF file is not split. Number (between 10 and 1500) – the file is split in one or more files of (approximately) Number MB. If Number is outside the range of 10 through 1500 the file is spilt to files of (approximately) 1 GB. The DSA appends a consecutive number (in the format .n) to the filename starting with the value 1 for the second file.	The DSA process	YES
DIRX_LICENSE_CHECK_INTERVAL	Specifies the interval at which DirX Directory license checking is to be regularly performed, in seconds. By default, license checking is performed once a day (86400 seconds) after DSA startup. Use this environment variable to increase the frequency of this operation. The permitted intervals permitted range from 300 seconds to 86400 seconds.	The DSA process	86400
DIRX_LOG_DATASIZE	Supplies the maximum length of data to be logged in a log record, in 16-byte units.	All DirX Directory processes	64 (64 * 16 bytes = 1024 bytes)
DIRX_LOGCFG_FILE	Supplies the name of the log configuration file.	All DirX Directory processes	For the dirxadm and dirxcp commands: $DIRX_INST_PATH/ client/conf/dirxlog.cfg For DSA processes: $DIRX_INST_PATH/ server/conf/dirxlog.cfg For LDAP server processes: $DIRX_INST_PATH/ ldap/conf/dirxlog.cfg
DIRX_MAP_CERT_ALTNAME_ATTR	Specifies the OID of the attribute used to map an entry that performed a SASL bind if the attribute LDAP SASL Authz Id Mapping is set to Certificate.extensions.altName.email.	The DSA process	1.2.840.113549.1.9.1 (the OID of the “email” attribute)
DIRX_MAX_AUD_FILE_SIZE	Specifies the maximum file size of the binary DSA audit log file in MB. A value of 0 specifies an unlimited file size. Note that this behavior may lead to errors due to the 32-bit I/O mechanism used by the dirxauddecode command when files exceed 2 GB. The default file size is 256 MB. In addition to the maximum file size in MB, the maximum number of records specified in the –size option of the dirxadm audit modify operation also limits the size of the DSA audit log file. If either the maximum number of audit records or the maximum size in MB of the audit file is exceeded the -overflow option of the dirxadm audit modify operation specifies the action to take.	The DSA process	265 MB
DIRX_MAX_AUD_FILE_SIZE (continued)	It is recommended not to specify limits that are too small because wrapping or moving the audit log file is more expensive than writing an audit record. The dirxauddecode command evaluates the binary audit log file and generates an ASCII output file. Due to 32-bit code and internal data representation, the dirxauddecode command cannot handle files greater than 2GB. Unfortunately, it is not possible to determine the size of the generated ASCII output file from the binary audit log file. However, the generated ASCII output file is usually five to ten times larger than the binary audit log file. Therefore, it is necessary to limit the maximum file size.
DIRX_MAX_THREADS	Specifies the maximum number of parallel threads per process. The maximum value is 512.	The DSA process and the LDAP server process individually/separately	256 Note that this value must be adapted to your system configuration.
DIRX_MIN_SCHEDULE_WAITERS	Controls the scheduling of shared waiters of shared resource users. It specifies the minimum number of scheduled shared waiters that get access to the shared resource after the exclusive user has released it. Specify a value between 0 and 128. This value specifies the total number of waiters. It does not specify the number of waiters per processor. A value of 0 specifies that all shared waiters get access to the resource.	The dirxload command, the DSA and the LDAP server process	2 per processor
DIRX_OWN_PSAP	Specifies the DSA’s own PSAP address. If this environment variable is not specified, the server exits during initialization. The value of this environment variable specifies whether the OSI stack or the IDM stack is used by the DSA. It also controls whether or not the secure IDM stack (IDMS) is initialized and a listener is started on the secure IDM port. It is also used for replication purposes: The PSAP addresses of the DSAs are maintained in the cooperating DSA table (CDT). In order to get working shadowing and LDIF agreements the PSAP address specified in this environment variable must match the PSAP address of all agreements affected.	The DSA process	The installation specifies the IP address for IDM: *TS=DSA1,NA='TCP/IP_IDM!internet=ip_address+port=21200'*
DIRX_OWN_PSAP (continued)	The value must be specified in the following format: OSI stack: TS=t_selector,NA='TCP/IP!internet=ip_address+port=port_number' IDM stack: TS=t_selector,NA='TCP/IP_IDM!internet=ip_address+port=port_number'[,DNS=DNS_String] where t_selector is a string of maximal 10 characters, ip_address is the DSA’s IP-address in dotted notation, port_number is the DSA’s port number, DNS_Name is the DNS name, and ip_version the IP protocol version. (See section Presentation-Address in chapter DirX Directory String Representation for DAP Binds in DirX Directory Syntaxes and Attributes for details on the PSAP address and the use of the DNS subcomponent.)
DIRX_OWN_PSAP (continued)	For example: `DIRX_OWN_PSAP=TS=DSA1,NA='TCP/IP_IDM!internet=123.4.5.6+port=21200',DNS='(HOST=myServer,PLAINPORT=21200,SSLPORT=21201)'` The values in the Directory Client and the LDAP server configuration files must be administered accordingly. The local loopback address (127.0.0.1) is only allowed for test scenarios with standalone DSAs.
DIRX_PMAP_PORT	Supplies the port number of the portmapper for the RPC connection between DSA and dirxadm. You should use DIRX_PMAP_PORT only if there is a conflict for the default port number on your system.	The DSA process and dirxadm	5999
DIRX_PROGSVR_NUMBER_OF_WORKERS	Specifies the number of worker threads that are used in the dirxprogsvr process to execute procedures specified in LDIF policies in LDIF agreements on generated LDIF files.	The dirxprogsvr process	4
DIRX_PROGSVR_PMAP_PORT	Supplies the port number of the portmapper for the RPC connection between the Progsvr and DSA. You should use DIRX_PROGSVR_PMAP_PORT only if there is a conflict for the default port number on your system.	The dirxprogsvr process	7999
DIRX_PROGSVR_RPC_START_PORT	Supplies the initial port number of the Progsvr’s RPC interfaces. The Progsvr uses a single port for its RPC interface in the range 6000 to 6199.	The dirxprogsvr process	6000
DIRX_RPC_CONNECT_ADDR	Specifies exactly one IP address over that the DSA process can connect the Progsvr.	The DSA process	127.0.0.1
DIRX_RPC_LISTEN_ADDR	Specifies exactly one IP address over which RPC clients (dirxadm and DirX Directory Manager) can bind to the server. If an invalid IP address is specified, the respective server process does not start. If the local loopback address 127.0.0.1 is specified, only local clients can access the respective server. This setting may be useful for administrative tasks.	The DSA process and the LDAP server process	The DirX Directory server processes establish their RPC ports for any available address of the host.
DIRX_RPC_START_PORT	Supplies the initial port number of the DSA’s RPC interfaces. The DSA uses five subsequent port numbers for its five RPC interfaces.	The DSA process	6000 (The DSA uses the port numbers 6000 through 6004.)
DIRX_SHPEVENT	Specifies the types of shadowing operations that should write notice messages. The messages comprise events for starting and completing incremental updates (or the creation of change files in the case of LDIF agreements. The following values are supported: 0—Write events for asynchronous scheduled agreements 1— Write events only for asynchronous on-change and scheduled agreements 2—Write events for asynchronous on-change, scheduled and LDIF agreements 3—Same as 2 4—Write events for all types of agreements: synchronous, asynchronous on-change, asynchronous scheduled, and LDIF agreements Note that starting and completing total updates and a potential clean-up of the journal causes a notice message to be written independent of the value of DIRX_SHPEVENT.	The DSA process	No processing event messages are written.
DIRX_SNMP	Specifies whether sending SNMPv2-traps is enabled (value 1) or not.	The DSA process, the LDAP server process, and the watchdog (dirxdsas / dirxsrv)	Sending SNMPv2-traps is disabled.
DIRX_SNMPTRAPS_CFG	Specifies the full qualified filename of the SNMPv2-trap configuration file.	The DSA process, the LDAP server process and the watchdog (dirxdsas / dirxsrv)	$DIRX_INST_PATH/ conf/snmptraps.cfg
DIRX_SSL_HOSTS	Specifies the IP Address of the LDAP server’s host that is trusted to initiate the special DAP bind onto which LDAP SASL EXTERNAL binds are mapped. The specification of substrings is possible; for example, DIRX_SSL_HOSTS=1 means that every LDAP server running on a machine with an IP address starting with 1 is accepted as special DAP bind initiator.	The DSA process	127.0.0.1
DIRX_SYSLOG	Specifies whether the DirX Directory syslog feature is enabled (set to 1) or not (not set). When enabled, the process performs the syslog operation on Linux systems. (See your operating system documentation for details of syslog ().) Before this environment variable can take effect, you must configure the DirX Directory syslog feature in the corresponding configuration files dirxlogflt.cfg. (See section syslog Configuration File in chapter DirX Directory Files for details.) You must also configure the system log daemon on Linux in the file /etc/syslog.conf. (See your operating system documentation for details.)	All DirX Directory processes	No messages are passed to the Linux syslog daemon (syslogd).
DIRX_TMP	Specifies the full pathname of the directory where temporary files are stored when performing post-indexing, the dirxload command, or a backup verification with the dirxbackup or the dbamverify command. You must use a file system type that supports the full range of 64-bit offsets.	The dirxadm db attrconfig operation, the dirxload, the dirxbackup, and the dbamverify commands	$DIR_INST_PATH/tmp
DIRX_TRUSTED_CA	Specifies the full pathname of the file that contains the server certificates or CA certificates used for SSL binds and SASL binds with the mechanism EXTERNAL. (See the section SSL/TLS Certificate Database for details.)	The dirxcp obj bind operation	When this environment variable is not set the file $DIRX_INST_PATH/ client/conf/cert8.db is used.
DIRX_USE_HTTP	Specifies whether (value 1) or not (value 0) the dirxhttp process is started automatically by the watchdog.	The watchdog (dirxdsas / dirxsrv)	1
DIRX_USE_PROGSVR	Specifies whether (value 1) or not (value 0) the dirxprogsvr process is used to execute procedures specified in LDIF policies in LDIF agreements on generated LDIF files.	The DSA process and the watchdog (dirxdsas / dirxsrv)	1
DIRX_WDOG_RESTART_LDAP_ON_DSA_RESTART	Specifies whether (value 1) or not (value 0) the DirX Directory watchdog process automatically re-starts an LDAP server when its corresponding DSA fails. This mode of operation results in unconditional loss of all existing LDAP connections at the failing DSA.	The watchdog process (dirxsrv on Windows, dirxdsas on Linux)	1 (Watchdog automatically re-starts the LDAP server on a DSA failure.)
DIRX_X500_MODIFY	You must specify any value for this environment variable for X.500 interworking. Keep in mind that X.500 interworking may restrict the use some features for example of password policy. If this environment variable exists, the LDAP server does not send the DirX Directory proprietary extension -replaceattr in obj modify operations to the DSA. Instead of performing one obj modify -replaceattr operation, the LDAP server performs a corresponding sequence of an obj read operation followed by an obj modify operation using only the X.500 standard compliant options -addattr, -changeattr, and -removeattr.	The LDAP server process	When this environment variable is not set, the LDAP server sends the DirX Directory proprietary extension -replaceattr in obj modify operations to the DSA.

DIRX_ABBR_FILE

Supplies the name of the attribute abbreviation file in the format:

file1[:file2:…] (on Linux systems)

file1[;file2;…] (on Windows systems)

If more than one abbreviation file is specified, the colon (:) is used as separator between different filenames on Linux systems. On Windows systems, the semicolon (;) is used as separator.

Example:
dirxabbr:dirxabbr-ext-meta (Linux systems)

dirxabbr;dirxabbr-ext-meta (Windows systems)

The dirxadm, dirxcp and dirxauddecode commands

$DIRX_INST_PATH/
client/conf/dirxabbr.

DIRX_ADDITIONAL_LDAP_SERVERS

Supplies the common name(s) of LDAP configuration subentries and RPC port number(s) for additional LDAP servers to be started, in the format subentry_name+RPC_port_number[:…]. (If you are starting more than one additional LDAP server, use the colon as a separator between subentry+RPC port pairs.)
Example:
ldapconf2+6998:ldapconf3+6997

The DirX Directory processes starting the Directory Service (dirxadm sys start operation).

DIRX_BLACKBOX_SIZE

Specifies the number of last recently incoming correct LDAP PDUs representing client requests that are stored in the LDAP server’s black box. This black box can be used to analyze the history of the LDAP server operations.

The LDAP server

0 (PDUs)

DIRX_CLCFG_FILE

Supplies the name of the DirX Directory client configuration file and the LDAP server configuration file.

The dirxcp command and the LDAP server

For the dirxcp command:*
$DIRX_INST_PATH/
client/conf/dirxcl.cfg*.

For LDAP server processes:
$DIR_INST_PATH/
ldap/conf/dirxldap.cfg

DIRX_CONLIMIT

Specifies the maximum number of connections supported by the server processes. The maximum value for this environment variable is 4000.

(For OSI communication, the maximum and default value is 128.)

The DSA process and the LDAP server

4000

DIRX_CTX_LIMIT

Specifies the maximum memory size of the DirX Directory processes in MB.

This value does not contain the size of the DBAM database buffer cache. (See DIRX_DSA_CACHE_SIZE for details.)

Due to platform restrictions, large search results may exceed this limit. In this case, DAP/LDAP clients should make use of simple page search operations to reduce memory usage in the DSA process.

For dirxload and the DSA process:

For 32 bit: On Windows, DIRX_CTX_LIMIT + DIRX_DSA_CACHE_SIZE must be lower or equal 1638; on Linux, lower or equal 3276.

On 64 bit platforms, the restriction of 2 or 4 GB is no longer valid. The memory limit assigned to the DirX Directory processes depends on the main memory that is physically available and on the number of applications that need to share this memory.

All DirX Directory processes

For the dirxload command and the DSA process:
On Windows 32 bit:
1638 - DIRX_DSA_CACHE_SIZE
(if the result is greater than 0)
On Linux 32 bit:
3276 - DIRX_DSA_CACHE_SIZE
(if the result is greater than 0)

For the LDAP server: 1600

For the dirxcp, dirxadm and other commands: unlimited.

DIRX_CTX_LIMIT_SINGLE

Specifies the maximum size of a single memory CTX in MB. Increase the default value if huge operations are expected, for example an add operation containing a big number of huge attributes.

All DirX Directory processes

The default maximum single CTX size is 50 % of DIRX_CTX_LIMIT or DIRX_LDAP_CTX_LIMIT respectively

DIRX_CTX_MAX_SINGLE_ALLOC_MEMSIZE

Specifies the maximum single allocation size within a memory context in MB. Increase this value if operations containing a real huge attribute value is expected, for example adding one huge certificate-revocation-list. Consider adjusting DIRX_CTX_LIMIT, DIRX_LDAP_CTX_LIMIT and DIRX_CTX_LIMIT_SINGLE in the event that the maximum size for a single allocation is increased.

All DirX Directory processes

256 MB

DIRX_DEFAULT_LDAP_SERVER

Supplies the common name of the LDAP configuration subentry of the first / default LDAP server to be started if not the default LDAP configuration subentry with the name ldapConfiguration should be used.

Example: ldapServerConfig

The DirX Directory processes starting the Directory Service (dirxadm sys start operation).

ldapConfiguration

DIRX_DEL_TIME

Specifies the time threshold (in hours) for trace and exception message file deletion. Any temporary file, for example the schema dump file, and any trace or exception file (LOG, USR, EXC* in the trace file directories), that was created more than DIRX_DEL_TIME before DirX Directory process startup will be deleted.

All DirX Directory processes

No trace file is deleted.

DIRX_DIRSTR_CHOICE

Specifies the string representation for attribute values with Directory String syntax for DAP binds.

Valid values are:

T61 - Attribute values with Directory String syntax are represented in T61 format
BMP - Attribute values with Directory String syntax are represented in BMP format
UTF8 - Attribute values with Directory String syntax are represented in UTF-8 format

The dirxcp, the dirxadm command, and the LDAP server

Attribute values are represented in UTF8 format.

DIRX_DONT_CHECK_DN_IN_CERT

By setting this environment to any value, the syntax check of the Distinguished Names contained in certificates is skipped. This may be useful if the DNs contain attribute types for the naming attributes that are not in the DirX Directory schema. This may occur because certificates are created and encoded by external applications, for example, Certification Authorities.

The dirxload command and the DSA process

Not set. (Do not omit the syntax checks of DNs contained in certificates)

DIRX_DSA_CACHE_DISABLED

Disables (TRUE) or enables (FALSE) the DBAM database buffer cache.

The dirxload command and the DSA process

The DBAM cache is enabled (FALSE).

DIRX_DSA_CACHE_SIZE

Specifies the size of the DBAM database buffer cache in megabytes (MB), from 256 to 2048 (1 TB on 64-bit platforms).

On Windows 32 bit, DIRX_CTX_LIMIT + DIRX_DSA_CACHE_SIZE must be lower or equal 1638; on Linux, lower or equal 3276.

On 64-bit platforms, the restriction of 2 or 4 GB is no longer valid. The memory limit assigned to the DirX Directory processes depends on the main memory that is physically available and on the number of applications that need to share this memory.

The dirxload command and the DSA process

256

Note that this value is too low for large databases (greater than 2 million entries). It is recommended to use at least 512 MB.

DIRX_DSA_CHECKPOINT_SIZE

Specifies the number of transactions per DBAM buffer cache checkpoint, from 1 to 100000. The higher this number, the more main memory is required.

The dirxload command and the DSA process

10000

DIRX_DSA_DISP_TUBM

Specifies the behavior of DSA in case of shadowing agreements with total update by media. The value 0 disables generation of the backup signature. The value 1 enables it.

The DSA process

1 (Enables generation of the backup signature.)

DIRX_DSA_EXTOP_ADM_BIND

Specifies the dse bind operation in string format. (See dse bind operation for details.)

Example:
bind -user /o=My-company/cn=admin -pass dirx -auth simple

The DSA process

DIRX_DSA_NAME

Specifies the DSA’s distinguished name in LDAP format. (See section titled Distinguished Names in chapter DirX Directory String Representation for LDAP Binds in DirX Directory Syntaxes and Attributes for details.)

Incorrect administration of this environment variable will result in a DIRX_DSA_NAME conflict and the DSA will not be able to run.

Example:
cn=DSA1,o=My-Company

The DSA process

cn=DirX-DSA-hostname

DIRX_DSA_OB_SHOW_DISPLAY_DEF_VALUES

Specifies whether the dirxadm sob show operation displays the default values for the sob_initiator_policies. (See section SOB-Policies in chapter DirX Directory String Representation for DAP Binds in the DirX Directory Syntaxes and Attributes for details.) Specify one of the following values:

0—do not display default values
1—display default values

The DSA process

1 (Display default values.)

DIRX_DSA_OUTSOURCED_ATTR_MIN_LENGTH

Specifies the minimum size of all values of an outsourced attribute at which the values are stored in extra DBAM blocks.

The dirxload command and the DSA process

64980 bytes

DIRX_DSA_REPLACE_INTERVAL

Specifies the page replace check interval of the DBAM cache, in seconds. Specify a value between 1 and 60 (seconds).

The environment variable DIRX_DSA_REPLACE_MODE specifies the DBAM cache filling degree.

The dirxload command and the DSA process

DIRX_DSA_REPLACE_MODE

Specifies the percentage of used DBAM cache space at which the DSA or dirxload command starts to replace pages in the DBAM cache.

Specify a value between 0 % and 100 %.

A value of 0 disables the effect of the filling degree. Replacing pages in the DBAM cache is controlled only by DIRX_DSA_REPLACE_INTERVAL.

Values between 90 and 100 disable the time triggered page replace mechanism. In this case pages are replaced only in the event of a buffer cache shortage.

When specifying values between 1 and 89 replacing pages in the DBAM cache is controlled by DIRX_DSA_REPLACE_INTERVAL and DIRX_DSA_REPLACE_MODE.

For best performance values lower than 70 are not recommended.

The dirxload command and the DSA process

DIRX_DSA_STATISTIC_INTERVAL

Specifies the interval (in number of operations) at which statistics and/or performance data should be written to the trace file install_path*/Server/log/dsasap*process_id*.txt*, from 1 to 2³²-1. This variable is only evaluated when DIRX_DSA_STATISTIC_MODE is set to a value.

The dirxload command and the DSA process

100000

DIRX_DSA_STATISTIC_MODE

Specifies whether statistics and/or performance data is collected. Specify one of the following values:

1—collect statistical data
2—collect performance data
3—collect both statistical and performance data

The dirxload command and the DSA process

Unspecified.

DIRX_DSA_STATISTIC_RESET

Specifies whether the statistics counters are reset after writing statistic data to the trace file. (See also DIRX_DSA_STATISTIC_INTERVAL) Specify one of the following values:

0—don’t reset counters
1—reset counters

The dirxload command and the DSA process

DIRX_DSA_SYNC_TIMEOUT

Specifies the maximum time in seconds that a master DSA waits for an incremental update result from a synchronous consumer DSA.

The DSA process

5 seconds

DIRX_DSA_TOTP_ISSUER

Specifies the provider or service associated with a DirX Directory time-based one-time password (TOTP) secret for a user in a TOTP two-factor authentication (2FA) configuration. When this environment variable is set, the DSA inserts the specified string into the TOTP secret it creates for a user; otherwise, the DSA uses the string DirX. The TOTP authenticator app on the user side typically displays the issuer string along with the user’s 6-digit TOTP.

The DSA process

DirX

DIRX_DSA_TOTP_PERIOD

Specifies the validity period in seconds for time-based onetime passwords (TOTPs) issued by the authenticator app in a DirX Directory twofactor authentication configuration. When this value is reached, the authenticator app generates a new TOTP for the user.

The DSA process

30 seconds

DIRX_FORCE_SYNC_CONSUMER

Forces a master DSA to accept update operations only if at least one synchronous consumer DSA is online and its data synchronicity status is set to TRUE. If this condition is not met, the master DSA is to reject update operations with the error code “unwilling to perform the operation”.

Example:
DIRX_FORCE_SYNC_CONSUMER=1

The DSA process

DIRX_GLOBAL_PPO_STATES

Specifies whether password policy-related state changes are effective only on the DSA where the bind operation occurred or whether the state changes are distributed and replicated to all DSAs within a floating master scenario (See also the section “Password Policies in a Shadow Configuration” in the DirX Directory Administration Guide) Specify one of the following values:

0—local password policy states
1—global password policy states

The DSA process

DIRX_HOST_NAME

Specifies the host name of the system. In the event that there are multiple host names for a system you must specify this environment variable. The value is used to retrieve the IP address of the host.

The DSA process

DIRX_INST_PATH

Supplies the pathname of the base directory in which DirX Directory is installed.

All DirX Directory processes

/opt/dirx or the user’s home directory
(on Linux systems)

*C:\Program Files\
DirX\Directory
*(on Windows systems)

DIRX_IP_STACK

Specifies the IP version of incoming traffic for which the DirX Directory servers listen. Specify one of the following values:

4 - IP version is IPv4 (default)
6 - IP version is IPv6
ALL - IP version is IPv4 and IPv6 (only for dual-stack machines)

The DSA process and the LDAP server

DIRX_KEY3DB_FILE

Specifies the full pathname of the file that contains the Private Key used for SASL binds with the mechanism EXTERNAL. (See section Key Database for details.)

The dirxcp obj bind command

When this environment variable is not set, the file $DIRX_INST_PATH/
client/conf/key3.db
is used.

DIRX_LAMEVENT

Specifies the number of entries after that an event message is written reporting the progess of writing a total LDIF content file.

The value must be greater than or equal to 1000. If a value lower than 1000 is specified, an event message is written after writing 1000 entries to the LDIF file.

The DSA always writes an event message when starting and completing writing a total LDIF content file.

Example: DIRX_LAMEVENT=5000
The DSA writes an event message each time it has written 5000 entries to the LDIF file.

The DSA process

No processing event messages are written.

DIRX_LDAP_AUTO_DISABLE_FAILING_DSA

Specifies the number of seconds for which the LDAP server will temporarily disable a failing DSA from its active contact DSA table.

The LDAP server

DIRX_LDAP_CACHE_ALLOWED_USER

Specifies DNs of users that must perform the search operation in order to store the search result in the LDAP cache.

Multiple DNs must be separated by a colon :.

The specified DNs must not contain non-ASCII characters or the colon : character.

The LDAP server ignores the case for all RDNs.

The full user DN must be listed in the environment variable.

Search results of requests performed by a user whose DN does not match any of the DNs listed in the environment variable are not stored in the LDAP cache.

Example:
DIRX_LDAP_CACHE_ALLOWED_USER=cn=wf-1,o=my-company:cn=wf-3,o=my-company

The LDAP server

Absent

The LDAP server stores search results of all users in the cache.

DIRX_LDAP_CACHE_BANNED_BASE_OBJ

Specifies DNs that direct the LDAP server not to store a search result in the cache if the DN matches the base object in the corresponding search request.

Multiple DNs must be separated by a colon :.

The specified DNs must not contain non-ASCII characters or the colon : character.

The LDAP server ignores the case for all RDNs.

The full base object DN must be listed in the environment variable.

Example:
DIRX_LDAP_CACHE_BANNED_BASE_OBJ=OU=conf,O=my-company:CN=process,OU=conf,O=my-company

The LDAP server

Absent

The LDAP server stores search results of all users in the cache.

DIRX_LDAP_CACHE_BANNED_REQ_ATTR

Specifies the attribute types that direct the LDAP server not to store a search result in the cache if the attribute type is listed in the requested attributes of the corresponding search request.

Multiple attribute types must be separated by a colon :.

The shortcuts , *+ and @ cannot be specified and are not evaluated when they are contained in the request; that is, if, for example, the attribute cn is contained in the list of banned attribute types and in a search result that was generated by a search request with * as the requested attribute, the LDAP server stores this search result in the cache.

Example:
DIRX_LDAP_CACHE_BANNED_REQ_ATTR=dxrRole:title

The LDAP server

Absent

The LDAP server stores search results of all users in the cache.

DIRX_LDAP_CTX_LIMIT

Specifies the maximum memory size of the LDAP server (dirxldapv3) process in MB. The LDAP server uses this memory for the operation threads and the LDAP cache.

By specifying this environment variable, a CTX limit setting different from the one of the DSA process is established.

The LDAP server

The value of DIRX_CTX_LIMIT.

DIRX_LDAP_HOST_NAME

Specifies the host name of the system. If there are multiple host names for a system, you must specify this environment variable. The value is used to retrieve the IP address of the host. It can be used to assign one specific of multiple IP addresses for the LDAP server RPC.

The LDAP server process

Empty

The LDAP server establishes its RPC ports for the IP address that belongs to the host named in the function hostname.

DIRX_LDAP_LISTEN_IP

Specifies exactly one IP address over which clients can bind to the LDAP server. It has the same effect as the configuration attribute ldapListenIPList.

The LDAP server process

all

The LDAP server establishes its ports (plain and SSL) for any available IP address of the host.

DIRX_LDAP_IGNORE_CACHEABLE_FLAG

Specifies whether results of chained searches are stored in the LDAP cache. Valid values are:

1 - Store results of chained searches in the LDAP cache.
0 - Do not store results of chained searches in the LDAP cache.

The LDAP server process

0 (Do not store results of chained searches.)

DIRX_LDAP_PMAP_PORT

Supplies the port number of the portmapper for the RPC connection between LDAP server and dirxadm. You should use DIRX_LDAP_PMAP_PORT only if there is a conflict for the default port number on your system.

The LDAP server process and dirxadm

6999

DIRX_LDAP_RPC_START_PORT

Supplies the port number of the LDAP server’s RPC interface.

The LDAP server process

6200

DIRX_LDAP_SERVER_DN

Supplies the Common Name (CN) attribute value of the LDAP server. The LDAP server uses this name to perform the initial DSA bind.

Example:
DIRX_LDAP_SERVER_DN=LDAPServer

The LDAP server process

DirX-LdapServerV3

DIRX_LDAP_SSL_EXPIRY_WARN_TIME

Specifies the time in number of days that the LDAP server starts sending out warnings if its own certificate is due to expire. A value of 0 switches off the warnings. The LDAP server writes the warnings to the LDAP server exception log up to 10 times. Expiry is checked at every SSL handshake (LDAP SSL-Bind).

The LDAP server process

DIRX_LDIF_SPLIT

Controls the size of the LDIF file(s) that a DSA writes when processing an LDIF agreement:

YES – the file is split into one or more files of (approximately) 1GB. This is the default behavior.
NO – the LDIF file is not split.
Number (between 10 and 1500) – the file is split in one or more files of (approximately) Number MB. If Number is outside the range of 10 through 1500 the file is spilt to files of (approximately) 1 GB.

The DSA appends a consecutive number (in the format *.*n) to the filename starting with the value 1 for the second file.

The DSA process

YES

DIRX_LICENSE_CHECK_INTERVAL

Specifies the interval at which DirX Directory license checking is to be regularly performed, in seconds. By default, license checking is performed once a day (86400 seconds) after DSA startup. Use this environment variable to increase the frequency of this operation. The permitted intervals permitted range from 300 seconds to 86400 seconds.

The DSA process

86400

DIRX_LOG_DATASIZE

Supplies the maximum length of data to be logged in a log record, in 16-byte units.

All DirX Directory processes

64
(64 * 16 bytes = 1024 bytes)

DIRX_LOGCFG_FILE

Supplies the name of the log configuration file.

All DirX Directory processes

For the dirxadm and dirxcp commands: $DIRX_INST_PATH/
client/conf/dirxlog.cfg

For DSA processes: $DIRX_INST_PATH/
server/conf/dirxlog.cfg

For LDAP server processes:
$DIRX_INST_PATH/
ldap/conf/dirxlog.cfg

DIRX_MAP_CERT_ALTNAME_ATTR

Specifies the OID of the attribute used to map an entry that performed a SASL bind if the attribute LDAP SASL Authz Id Mapping is set to Certificate.extensions.altName.email.

The DSA process

1.2.840.113549.1.9.1 (the OID of the “email” attribute)

DIRX_MAX_AUD_FILE_SIZE

Specifies the maximum file size of the binary DSA audit log file in MB. A value of 0 specifies an unlimited file size. Note that this behavior may lead to errors due to the 32-bit I/O mechanism used by the dirxauddecode command when files exceed 2 GB. The default file size is 256 MB.

In addition to the maximum file size in MB, the maximum number of records specified in the –size option of the dirxadm audit modify operation also limits the size of the DSA audit log file.

If either the maximum number of audit records or the maximum size in MB of the audit file is exceeded the -overflow option of the dirxadm audit modify operation specifies the action to take.

The DSA process

265 MB

DIRX_MAX_AUD_FILE_SIZE (continued)

It is recommended not to specify limits that are too small because wrapping or moving the audit log file is more expensive than writing an audit record.

The dirxauddecode command evaluates the binary audit log file and generates an ASCII output file. Due to 32-bit code and internal data representation, the dirxauddecode command cannot handle files greater than 2GB. Unfortunately, it is not possible to determine the size of the generated ASCII output file from the binary audit log file. However, the generated ASCII output file is usually five to ten times larger than the binary audit log file. Therefore, it is necessary to limit the maximum file size.

DIRX_MAX_THREADS

Specifies the maximum number of parallel threads per process. The maximum value is 512.

The DSA process and the LDAP server process individually/separately

256

Note that this value must be adapted to your system configuration.

DIRX_MIN_SCHEDULE_WAITERS

Controls the scheduling of shared waiters of shared resource users. It specifies the minimum number of scheduled shared waiters that get access to the shared resource after the exclusive user has released it.

Specify a value between 0 and 128. This value specifies the total number of waiters. It does not specify the number of waiters per processor.

A value of 0 specifies that all shared waiters get access to the resource.

The dirxload command, the DSA and the LDAP server process

2 per processor

DIRX_OWN_PSAP

Specifies the DSA’s own PSAP address. If this environment variable is not specified, the server exits during initialization.

The value of this environment variable specifies whether the OSI stack or the IDM stack is used by the DSA. It also controls whether or not the secure IDM stack (IDMS) is initialized and a listener is started on the secure IDM port.

It is also used for replication purposes: The PSAP addresses of the DSAs are maintained in the cooperating DSA table (CDT). In order to get working shadowing and LDIF agreements the PSAP address specified in this environment variable must match the PSAP address of all agreements affected.

The DSA process

The installation specifies the IP address for IDM:

TS=DSA1,NA='TCP/IP_IDM!internet=ip_address+port=21200'

DIRX_OWN_PSAP (continued)

The value must be specified in the following format:

OSI stack:

TS=t_selector,NA='TCP/IP!internet=ip_address+port=port_number'

IDM stack:

TS=t_selector,NA='TCP/IP_IDM!internet=ip_address+port=port_number'[,DNS=DNS_String]

where

t_selector is a string of maximal 10 characters,
ip_address is the DSA’s IP-address in dotted notation,
port_number is the DSA’s port number,
DNS_Name is the DNS name, and
ip_version the IP protocol version. (See section Presentation-Address in chapter DirX Directory String Representation for DAP Binds in DirX Directory Syntaxes and Attributes for details on the PSAP address and the use of the DNS subcomponent.)

DIRX_OWN_PSAP (continued)

For example:
DIRX_OWN_PSAP=TS=DSA1,NA='TCP/IP_IDM!internet=123.4.5.6+port=21200',DNS='(HOST=myServer,PLAINPORT=21200,SSLPORT=21201)'

The values in the Directory Client and the LDAP server configuration files must be administered accordingly.

The local loopback address (127.0.0.1) is only allowed for test scenarios with standalone DSAs.

DIRX_PMAP_PORT

Supplies the port number of the portmapper for the RPC connection between DSA and dirxadm. You should use DIRX_PMAP_PORT only if there is a conflict for the default port number on your system.

The DSA process and dirxadm

5999

DIRX_PROGSVR_NUMBER_OF_WORKERS

Specifies the number of worker threads that are used in the dirxprogsvr process to execute procedures specified in LDIF policies in LDIF agreements on generated LDIF files.

The dirxprogsvr process

DIRX_PROGSVR_PMAP_PORT

Supplies the port number of the portmapper for the RPC connection between the Progsvr and DSA. You should use DIRX_PROGSVR_PMAP_PORT only if there is a conflict for the default port number on your system.

The dirxprogsvr process

7999

DIRX_PROGSVR_RPC_START_PORT

Supplies the initial port number of the Progsvr’s RPC interfaces. The Progsvr uses a single port for its RPC interface in the range 6000 to 6199.

The dirxprogsvr process

6000

DIRX_RPC_CONNECT_ADDR

Specifies exactly one IP address over that the DSA process can connect the Progsvr.

The DSA process

127.0.0.1

DIRX_RPC_LISTEN_ADDR

Specifies exactly one IP address over which RPC clients (dirxadm and DirX Directory Manager) can bind to the server.

If an invalid IP address is specified, the respective server process does not start.

If the local loopback address 127.0.0.1 is specified, only local clients can access the respective server. This setting may be useful for administrative tasks.

The DSA process and the LDAP server process

The DirX Directory server processes establish their RPC ports for any available address of the host.

DIRX_RPC_START_PORT

Supplies the initial port number of the DSA’s RPC interfaces. The DSA uses five subsequent port numbers for its five RPC interfaces.

The DSA process

6000 (The DSA uses the port numbers 6000 through 6004.)

DIRX_SHPEVENT

Specifies the types of shadowing operations that should write notice messages. The messages comprise events for starting and completing incremental updates (or the creation of change files in the case of LDIF agreements. The following values are supported:

0—Write events for asynchronous scheduled agreements
1— Write events only for asynchronous on-change and scheduled agreements
2—Write events for asynchronous on-change, scheduled and LDIF agreements
3—Same as 2
4—Write events for all types of agreements: synchronous, asynchronous on-change, asynchronous scheduled, and LDIF agreements

Note that starting and completing total updates and a potential clean-up of the journal causes a notice message to be written independent of the value of DIRX_SHPEVENT.

The DSA process

No processing event messages are written.

DIRX_SNMP

Specifies whether sending SNMPv2-traps is enabled (value 1) or not.

The DSA process, the LDAP server process, and the watchdog (dirxdsas / dirxsrv)

Sending SNMPv2-traps is disabled.

DIRX_SNMPTRAPS_CFG

Specifies the full qualified filename of the SNMPv2-trap configuration file.

The DSA process, the LDAP server process and the watchdog (dirxdsas / dirxsrv)

$DIRX_INST_PATH/
conf/snmptraps.cfg

DIRX_SSL_HOSTS

Specifies the IP Address of the LDAP server’s host that is trusted to initiate the special DAP bind onto which LDAP SASL EXTERNAL binds are mapped. The specification of substrings is possible; for example, DIRX_SSL_HOSTS=1 means that every LDAP server running on a machine with an IP address starting with 1 is accepted as special DAP bind initiator.

The DSA process

127.0.0.1

DIRX_SYSLOG

Specifies whether the DirX Directory syslog feature is enabled (set to 1) or not (not set).

When enabled, the process performs the syslog operation on Linux systems. (See your operating system documentation for details of syslog ().)

Before this environment variable can take effect, you must configure the DirX Directory syslog feature in the corresponding configuration files dirxlogflt.cfg. (See section syslog Configuration File in chapter DirX Directory Files for details.)

You must also configure the system log daemon on Linux in the file /etc/syslog.conf. (See your operating system documentation for details.)

All DirX Directory processes

No messages are passed to the Linux syslog daemon (syslogd).

DIRX_TMP

Specifies the full pathname of the directory where temporary files are stored when performing post-indexing, the dirxload command, or a backup verification with the dirxbackup or the dbamverify command.

You must use a file system type that supports the full range of 64-bit offsets.

The dirxadm db attrconfig operation, the dirxload, the dirxbackup, and the dbamverify commands

$DIR_INST_PATH/tmp

DIRX_TRUSTED_CA

Specifies the full pathname of the file that contains the server certificates or CA certificates used for SSL binds and SASL binds with the mechanism EXTERNAL. (See the section SSL/TLS Certificate Database for details.)

The dirxcp obj bind operation

When this environment variable is not set the file $DIRX_INST_PATH/
client/conf/cert8.db
is used.

DIRX_USE_HTTP

Specifies whether (value 1) or not (value 0) the dirxhttp process is started automatically by the watchdog.

The watchdog (dirxdsas / dirxsrv)

DIRX_USE_PROGSVR

Specifies whether (value 1) or not (value 0) the dirxprogsvr process is used to execute procedures specified in LDIF policies in LDIF agreements on generated LDIF files.

The DSA process and the watchdog (dirxdsas / dirxsrv)

DIRX_WDOG_RESTART_LDAP_ON_DSA_RESTART

Specifies whether (value 1) or not (value 0) the DirX Directory watchdog process automatically re-starts an LDAP server when its corresponding DSA fails. This mode of operation results in unconditional loss of all existing LDAP connections at the failing DSA.

The watchdog process (dirxsrv on Windows, dirxdsas on Linux)

1 (Watchdog automatically re-starts the LDAP server on a DSA failure.)

DIRX_X500_MODIFY

You must specify any value for this environment variable for X.500 interworking. Keep in mind that X.500 interworking may restrict the use some features for example of password policy.

If this environment variable exists, the LDAP server does not send the DirX Directory proprietary extension -replaceattr in obj modify operations to the DSA. Instead of performing one obj modify -replaceattr operation, the LDAP server performs a corresponding sequence of an obj read operation followed by an obj modify operation using only the X.500 standard compliant options -addattr,
-changeattr, and -removeattr.

The LDAP server process

When this environment variable is not set, the LDAP server sends the DirX Directory proprietary extension -replaceattr in obj modify operations to the DSA.

Operating System Environment Variables

This section provides information on how to use operating system environment variables that affect the DirX Directory Service.

System Directories for Temporary Files

When performing huge search operations, the DSA stores PDUs temporarily in the system directory for temporary files.On Windows, this directory is specified by the environment variable TMP, on Linux by the environment variable TMPDIR.The administrator must take care that there is enough disk space available for this directory.If this variable is not specified, the DSA stores the temporary files to the directory install_path*/tmp*.

Enabling KEEPALIVE Time/Interval

It is recommended to set the timer/interval for the socket option KEEPALIVE to close connections that are no longer in use and are not closed properly by a remote client.This timer is enabled by specifying the environment variable CMXSOCKET.Set CMXSOCKET in the following way:

CMXSOCKET="-Kkk"

where kk can be any value greater than 0. This value enables the keepalive functionality in the operating system with the associated timer values configured with system tools.If there is no data flow during the period determined by the KEEPALIVE timer, it is checked whether the partner of a TCP connection still exists.

The following sections provide information on how to specify the timer value on the different operating systems.

Specifying KEEPALIVE Time on Windows

The parameter KeepAliveTime must be created/modified in the registry with regedit:

Registry path:

HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Services
\Tcpip
\ ParameterName

where ParameterName is KeepAliveTime REG_DWORD. Specify a value between
1 through 0xFFFFFFFF milliseconds. The default value is 7200000 milliseconds (two hours).

KeepAliveTime specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and working, it will acknowledge the keep-alive transmission.

Keep-alive packets are not sent by default. If they not yet enabled by an application, enable sending of keep-alive packets by specifying the parameter KeepAliveInterval REG_DWORD under the same registry path as the parameter KeepAliveTime. Specify a value between
1 through 0xFFFFFFFF milliseconds. The default value is 1000 milliseconds (1 second).

KeepAliveInterval specifies the interval between keep-alive retransmissions until a response is received and, once a response is received, specifies the delay until the next keep-alive transmission.

The connection will be aborted after the number of retransmissions specified by the parameter TcpMaxDataRetransmissions REG_DWORD remain unanswered. The default value for this parameter is 5.

Specifying KEEPALIVE Time on Linux

Use the command sysctl to specify the parameter net.ipv4.tcp_keepalive_interval in seconds. The default value is 7200 seconds (two hours). Perform the following command:

/sbin/sysctl -w net.ipv4.tcp_keepalive_time=timer_value_in_seconds

Instead of performing this command specify the timer value in the file /etc/sysctl.conf. Insert the following lines:

# Set tcp_keepalive_time to <seconds> (used by DirX)
net.ipv4.tcp_keepalive_time = timer_value_in_seconds

To display the current active value, perform the command:

/sbin/sysctl net.ipv4.tcp_keepalive_time