Environment variables used by the LDAP server

There are a number of environment variables that are processed by the LDAP server and utilities. Except for LDAP_DS_ENVVARS_FILE, they can be specified in the LDAP server environment variables file. By default, the file name is /etc/ldap/ds.envvars. The name can be reset by using the LDAP_DS_ENVVARS_FILE environment variable or, if that is not set, by the ENVVAR DD in the procedure that is used to start the LDAP server. Environment variables are read once, during LDAP server initialization. The LDAP server must be stopped and restarted to put a change to an environment variable into effect.

Below are some rules for setting up the environment variables file:

The file must be in code page IBM-1047.
An environment variable line consists of name=value, starting in column one. Blanks at the end of each line are removed, but no other blanks are removed.
A line can be continued by putting a backslash (\) as the last non-blank character on the line. The backslash is removed and the next line is appended to the previous line. The maximum length of the initial line plus all continuation lines is 1024 characters.
The value can be entirely enclosed in quotation marks (') or double quotation marks (") to include trailing blanks and to process a trailing backslash as part of the value. The quotation marks are removed from the value.
A line that begins with a # in column one is a comment line and is ignored. A trailing backslash (\) on a comment line is ignored and the comment line is not continued.
If the name corresponds to an environment variable that is already set and value is specified, the new value is ignored and the existing value is not changed. If value is not specified, the environment variable is deleted.
Processing continues with the next line if any error occurs.

The list below describes the LDAP server environmental variables:

GLDLOG_MICROSECONDS=ON | anything_else

Controls whether all generated activity log records contain microseconds in their time stamps. Microseconds are added to the time stamp if the value is set to ON. Microseconds are not included if the value is not ON or if the environment variable is not specified. The GLDLOG_MICROSECONDS environmental variable is deprecated. See Activity logging or the logFileMicroseconds configuration option at Configuration file options for more information.

GLDLOG_MSG=MSGS | NOMSGS

Controls whether activity log records are generated when messages are created by the LDAP server. Messages are not written to the log if the environment variable is not specified. The GLDLOG_MSG environmental variable is deprecated. See Activity logging or the logFileMsgs configuration option at Configuration file options for more information.

GLDLOG_OPS=WRITEOPS | ALLOPS | SUMMARY

Controls which operations generate LDAP server activity log records. No operations are logged if the environment variable is not specified. The GLDLOG_OPS environmental variable is deprecated. See Activity logging or the logFileOps configuration option at Configuration file options for more information.

GLDLOG_TIME=TIME | NOTIME | MERGEDRECORD

Controls whether LDAP server activity log records are generated when the operation being logged ends. Log records are not generated when an operation ends if this environment variable is not specified or is set to NOTIME. The GLDLOG_TIME environmental variable is deprecated. See Activity logging or the logFileRecordType configuration option at Configuration file options for more information.

IBMSLAPD_REPL_UPDATE_EXTRA_SECS=interval

Specifies, in seconds, how long the advanced replication engine waits for a replication operation to complete before setting an LDAP_TIMEOUT error code. By default, the advanced replication engine waits 60 seconds.

LDAP_ADVREPL_CLEANUP_INTERVAL=interval

Specifies, in seconds, how often backends participating in advanced replication delete replicated updates. If an incorrect value or 0 is specified, the value is set to 900 (delete replicated updates every 15 minutes). This is also the value that is used if the environment variable is not specified.

LDAP_COMPAT_FLAGS=level

Specifies the needed compatibility level setting. The value for LDAP_COMPAT_FLAGS is a mask that you can specify in the following ways:

A decimal value (for example, 1)
A hexadecimal value (for example, x02 or X02)
A keyword (for example, SDBM_MIXEDDN)
A construct of these values using plus and minus signs to indicate inclusion or exclusion of a value.

See LDAP_COMPAT_FLAGS environment variable for more information.

LDAP_CONSOLE_LEVEL=I | W | E | A

Specifies the message severity level for sending a message that is created by the LDAP server to the operator console. Messages with a severity equal to or higher than the specified severity are sent to the operator console in addition to the normal output destination. Note that some LDAP server messages are always written to the operator console and are not affected by this value. Messages with a severity of E or higher are sent to the operator console if the environment variable is not specified.

LDAP_CTRACE_BUFFSIZE=size

Sets the amount of storage that allocates for CTRACE records within the LDAP server. The minimum value that can be specified is 1024000 bytes. This is also the value that is used if an incorrect value is specified or if the environment variable is not specified. On the average, each CTRACE record is about 120 bytes long. See CTRACE in-memory trace records for more information.

LDAP_DEBUG=level

Specifies the needed debug level. The value for LDAP_DEBUG is a mask that you can specify in the following ways:

A decimal value (for example, 32)
A hexadecimal value (for example, x20 or X20)
A keyword (for example, FILTER)
A construct of these values using plus and minus signs to indicate inclusion or exclusion of a value.

See Table 1 for more information.

LDAP_DEBUG_FILENAME=filename | CTRACE_ONLY

Specifies the fully qualified name of the LDAP debug output file. The debug output is written to stdout if this environment variable is not specified. The debug file is not used if LDAP debugging is not active. If using an output file, make sure that the file is not being used for any other purpose.

The current process identifier is included as part of the debug file name when the name contains a percent sign (%).

Example: If LDAP_DEBUG_FILENAME is set to /tmp/ldap.%.trc and the current process identifier is 247, the debug file name is /tmp/ldap.247.trc.

If the value is CTRACE_ONLY, then all debug output is only written to the internal CTRACE buffers.

LDAP_DS_ENVVARS_FILE=filename

Specifies the name of the LDAP server environment variables file. The file name in the ENVVAR DD in the start procedure for the LDAP server is used if the environment variable is not specified. If the ENVVAR DD is not specified, the file name defaults to /etc/ldap/ds.envvars.

LDAP_ERROR_LOGGING=STDOUT | STDERR | BOTH

Specifies how error messages are logged. The following values can be specified:

STDOUT: Error messages are written to standard output as specified by the LDAP_STDOUT_FILENAME environment variable.
STDERR: Error messages are written to standard error as specified by the LDAP_STDERR_FILENAME environment variable.
BOTH: Error messages are written to both standard output and to standard error.

Error messages are written to standard error if this environment variable is not specified.

LDAP_NETWORK_POLL=interval

Specifies, in minutes, how often the LDAP server polls a network interface to determine whether it failed or becomes active. If 0 is specified, the value is set to 5 (poll every 300 seconds). This is also the value that is used if the environment variable is not specified.

LDAP_PRINT_CONFIG=1 | anything_else

Controls whether the configuration options used by the LDAP server are displayed when the LDAP server is started. The options are displayed if the value is 1 and are not displayed for any other value. The options are displayed if the environment variable is not specified.

LDBM_SHUTDOWN_FAST=1 | anything_else

Controls how a file-based backend (LDBM, CDBM, and file-based GDBM) in the LDAP server stops. Server shutdown typically frees all storage that is allocated and held by each backend. This can potentially be a large amount of storage for LDBM because it holds all its entries in memory, therefore, can be very time consuming. When the value is set to 1, storage that is allocated by the LDBM backend is not released before the LDAP server stops (the storage is eventually released by the operating system). When the value is not 1, the storage is freed before the LDAP server stops. This is also the processing that occurs if the environment variable is not specified.

LDAP_STDERR_FILENAME=filename

Specifies the fully qualified name of the file to receive standard error messages generated using LDAP message services. Messages are written to stderr if this environment variable is not specified. Make sure that the output file is not being used for any other purpose.

LDAP_STDOUT_FILENAME=filename

Specifies the fully qualified name of the file to receive standard output messages generated using LDAP message services. Messages are written to stdout if this environment variable is not specified. Make sure that the output file is not being used for any other purpose.

LDAP_TDBM_CACHEDELAY=interval

Specifies the number of seconds the LDAP server delays before it examines a TDBM Db2® database to detect out-of-date caches, rather than checking on every LDAP request. This can be used to reduce the cost of checking for up-to-date cache information. The caches affected are the referral cache, ACL (access control list) caches, and group cache. This environment variable is only used for a TDBM backend that is running in multiserver mode with a Db2 database that can be shared with a z/OS® Integrated Security Services LDAP server (therefore, the DB_VERSION value of the database is less than '4.0' or the serverCompatLevel configuration option is 3).

The valid range for the value is 0 to 2147483647. A value of 0 (zero) causes the Db2 database to be examined once per request. This is the default behavior if this environment variable is not specified.

This environment variable should not be set if there are applications that cannot tolerate temporarily out-of-date cache information in the LDAP server. It is best suited when most LDAP operations are search requests and the directory information is mostly static. It can also be useful even if there are many LDAP update operations, if the updates do not affect referrals, ACLs, or nested and dynamic groups.

LDAP_USE_INTERNAL_RNG=0 | anything_else

Specifies which random byte generator the LDAP server uses for the creation of the salt value for Salted SHA (SSHA) and Salted SHA-2 hashing and the generation of random data bytes for CRAM-MD5 and DIGEST-MD5 authentication binds. The LDAP server uses the SSL random byte generator that is provided in the gsk_generate_random_bytes() routine if the value is 0 or the environment variable is not specified. When the value is not 0, the LDAP server uses an internal random byte generator.