PingDS

Setup profiles

A setup profile lets you configure a server for a specific use case. Profiles greatly simplify the directory server setup process for such use cases, such as preparing a directory server to serve another Ping Identity Platform component product.

You can configure a setup profile using the setup command, or the setup-profile command after initial setup. The setup-profile command runs on a server that is offline.

Select a profile with the --profile option. Each profile has its own parameters, some of which have default values. You specify profile parameters with --set options.

The profile selection option takes the form --profile profileName[:version]. If you do not specify the optional :version portion of the argument, the setup command uses the current DS software version, falling back to the previous version if the current version does not match an available profile. Repeat the --profile option to apply multiple setup profiles.

An option to set a parameter takes the form --set[:env|:file] profileName/parameterName:value where:

  • profileName/ indicates which profile the parameter applies to.

    This part is only required when you specify multiple profiles and the parameter is available in more than one of the specified profiles.

    The profileName is case-insensitive.

  • parameterName specifies the parameter to set.

  • value specifies the value the parameter takes when the setup command applies the profile.

Use the setup --help-profiles or setup-profile --help command to list available profiles.

Use the --help-profile profileName[:version] option to list the parameters for the specified profile.

Different data under different base DNs

Nothing prevents you from configuring multiple setup profiles to use the same base DN for different directory data. Keep different directory data under different base DNs.

When the different data sets are incompatible, reusing a base DN can lead to errors, such as the following:

category=CONFIG severity=ERROR msgID=116 msg=An error occurred while trying
to initialize a backend loaded from class org.opends.server.backends.jeb.JEBackend
with the information in configuration entry ds-cfg-backend-id=cfgStore,cn=Backends,cn=config:
An error occurred while attempting to register the base DNs [dc=reused,dc=base,dc=dn] in the Directory Server:
Unwilling to Perform: Unable to register base DN dc=reused,dc=base,dc=dn with the Directory Server
for backend cfgStore because that base DN is already registered for backend amCts.
This backend will be disabled.

Check profiles

The opendj/profiles.version file lists the profiles selected at setup time:

$ cat /path/to/opendj/config/profiles.version
Output
ds-evaluation:8.1.0

Default indexes

For new backends, setup profiles create the following default indexes:

  • ds-certificate-fingerprint (equality index)

  • ds-certificate-subject-dn (equality index)

  • member (equality index)

  • uid (equality index)

  • uniqueMember (equality index)

When a profile adds a backend with default user indexes, it also creates the following default indexes:

  • cn (equality and substring indexes)

  • givenName (equality and substring indexes)

  • mail (equality and substring indexes)

  • sn (equality and substring indexes)

  • telephoneNumber (equality and substring indexes)

Default Setup Profiles

This page lists default profiles with their parameters.

AM Configuration Data Store 6.5.0

The am-config:6.5.0 profile has the following parameters:

backendName

Name of the backend for storing config
Default: --set am-config/backendName:cfgStore
Syntax: Name

baseDn

The base DN to use to store AM’s configuration in
Default: --set am-config/baseDn:ou=am-config
Syntax: DN

amConfigAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM CTS Data Store 6.5.0

The am-cts:6.5.0 profile has the following parameters:

backendName

Name of the backend for storing tokens
Default: --set am-cts/backendName:amCts
Syntax: Name

baseDn

The base DN to use to store AM’s tokens in
Default: --set am-cts/baseDn:ou=tokens
Syntax: DN

amCtsAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

tokenExpirationPolicy

Token expiration and deletion
Default: --set am-cts/tokenExpirationPolicy:am

This parameter takes one of the following values:

  • am: AM CTS reaper manages token expiration and deletion

  • am-sessions-only: AM CTS reaper manages SESSION token expiration and deletion. DS manages expiration and deletion for all other token types. AM continues to send notifications about session expiration and timeouts to agents

  • ds: DS manages token expiration and deletion. AM session-related functionality is impacted and notifications are not sent

AM Identity Data Store 8.0.0

The am-identity-store:8.0.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM Identity Data Store 7.5.0

The am-identity-store:7.5.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM Identity Data Store 7.3.0

The am-identity-store:7.3.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM Identity Data Store 7.2.0

The am-identity-store:7.2.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM Identity Data Store 7.1.0

The am-identity-store:7.1.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM Identity Data Store 7.0.0

The am-identity-store:7.0.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

AM Identity Data Store 6.5.0

The am-identity-store:6.5.0 profile has the following parameters:

backendName

Name of the backend for storing identities
Default: --set am-identity-store/backendName:amIdentityStore
Syntax: Name

baseDn

The base DN to use to store identities in
Default: --set am-identity-store/baseDn:ou=identities
Syntax: DN

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ
Syntax: Password

DS Evaluation 8.0.0

The ds-evaluation:8.0.0 profile has the following parameters:

generatedUsers

Specifies the number of generated user entries to import. The evaluation profile always imports entries used in documentation examples, such as uid=bjensen. Optional generated users have RDNs of the form uid=user.%d, yielding uid=user.0, uid=user.1, uid=user.2 and so on. All generated users have the same password, "password". Generated user entries are a good fit for performance testing with tools like addrate and searchrate
Default: --set ds-evaluation/generatedUsers:100000
Syntax: Number

useOutdatedPasswordStorage

Use Salted SHA-512 as the password storage scheme for the import and default password policy for users.
Default: --set ds-evaluation/useOutdatedPasswordStorage:false

This parameter takes one of the following values:

  • true

  • false

DS Proxied Server 7.0.0

The ds-proxied-server:7.0.0 profile has the following parameters:

proxyUserDn

The proxy user service account DN. This will be used for authorization and auditing proxy requests.
Default: --set ds-proxied-server/proxyUserDn:uid=proxy
Syntax: DN

proxyUserCertificateSubjectDn

The subject DN of the proxy user’s certificate. The proxy must connect using mutual TLS with a TLS client certificate whose subject DN will be mapped to the proxy service account.
Default: --set ds-proxied-server/proxyUserCertificateSubjectDn:CN=DS,O=ForgeRock.com
Syntax: DN

baseDn

Base DN for user information in the server. Multiple base DNs may be provided by using this option multiple times. If no base DNs are defined then the server will allow proxying as any user, including administrator accounts.
Syntax: DN

DS Proxy Server 7.0.0

The ds-proxy-server:7.0.0 profile has the following parameters:

backendName

Name of the proxy backend for storing proxy configuration
Default: --set ds-proxy-server/backendName:proxyRoot
Syntax: Name

bootstrapReplicationServer

Bootstrap replication server(s) to contact periodically in order to discover remote servers
Syntax: host:port or configuration expression

rsConnectionSecurity

Connection security type to use to secure communication with remote servers
Default: --set ds-proxy-server/rsConnectionSecurity:ssl

This parameter takes one of the following values:

  • ssl: Use SSL

  • start-tls: Use Start TLS

keyManagerProvider

Name of the key manager provider used for authenticating the proxy in mutual-TLS communications with backend server(s)
Default: --set ds-proxy-server/keyManagerProvider:PKCS12
Syntax: Name or configuration expression

trustManagerProvider

Name of the trust manager provider used for trusting backend server(s) certificate(s)
Syntax: Name or configuration expression

certNickname

Nickname(s) of the certificate(s) that should be sent to the server for SSL client authentication.
Default: --set ds-proxy-server/certNickname:ssl-key-pair
Syntax: Name or configuration expression

primaryGroupId

Replication domain group ID of directory server replicas to contact when available before contacting other replicas. If this option is not specified then all replicas will be treated the same (i.e all remote servers are primary)
Syntax: String or configuration expression

baseDn

Base DN for user information in the Proxy Server.Multiple base DNs may be provided by using this option multiple times.If no base DNs are defined then the proxy will forward requests to all public naming contexts of the remote servers
Syntax: DN or configuration expression

DS User Data Store 7.0.0

The ds-user-data:7.0.0 profile has the following parameters:

backendName

Name of the backend to be created by this profile
Default: --set ds-user-data/backendName:userData
Syntax: Name

baseDn

Base DN for your users data.
Syntax: DN

ldifFile

Path to an LDIF file containing data to import. Use this option multiple times to specify multiple LDIF files. The path is absolute, or relative to the directory where the profile is defined
Syntax: File or directory path

addBaseEntry

Create entries for specified base DNs when the 'ldifFile' parameter is not used. When this option is set to 'false' and the 'ldifFile' parameter is not used, create an empty backend.
Default: --set ds-user-data/addBaseEntry:true

This parameter takes one of the following values:

  • true

  • false

IDM External Repository 8.1.0

The idm-repo:8.1.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 8.0.0

The idm-repo:8.0.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 7.5.0

The idm-repo:7.5.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 7.4.0

The idm-repo:7.4.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 7.3.0

The idm-repo:7.3.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 7.2.0

The idm-repo:7.2.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 7.1.0

The idm-repo:7.1.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 7.0.0

The idm-repo:7.0.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name

IDM External Repository 6.5.0

The idm-repo:6.5.0 profile has the following parameters:

backendName

IDM repository backend database name
Default: --set idm-repo/backendName:idmRepo
Syntax: Name

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".
Default: --set idm-repo/domain:example.com
Syntax: Domain name