Exec tasks allow administrators and external users to execute a specified command on the server once or as recurring tasks. The server has a number of restrictions to safeguard the use of these commands and ensure that they cannot be used by unauthorized individuals. The set of commands that can be executed is also limited. One of these restrictions is that the absolute path to the command to execute must be listed in the <server-root>/config/exec-command-whitelist.txt file. Other safeguards and requirements include:

  • The global configuration must be updated to allow the exec task. The server does not permit it by default. The following configuration change enables this:
    $ bin/dsconfig set-global-configuration-prop \
      --add allowed-task:com.unboundid.directory.server.tasks.ExecTask
  • The user scheduling the task must have the exec-task privilege. The server does not grant permission to run this task to any user by default, not even root users. The following configuration changes grant the exec-task privilege to a single root user, all root users, or a single non-root user:
    $ bin/dsconfig set-root-dn-user-prop --user-name "{username}" \
      --add privilege:exec-task
    $ bin/dsconfig set-root-dn-prop \
      --add default-root-privilege-name:exec-task
    dn: {userdn}
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: exec-task
The schedule-exec-task tool can be used to create an exec task from the command line. For example, the following command can be used to schedule an exec task to run the verify-index tool to check the integrity of the cn index in the backend that hosts "dc=example,dc=com", assuming that the server is installed in /ds:
$ bin/schedule-exec-task --hostname directory.example.com \
  --port 389 \
  --bindDN uid=admin,dc=example,dc=com \
  --promptForBindPassword \
  --waitForCompletion \
  --logCommandOutput \
  /ds/bin/verify-index --baseDN dc=example,dc=com --index cn