The server restricts the kinds of commands that can be executed, and the access level of users who can execute them.

These safeguards and requirements include:

  • The absolute path to the command to execute must be listed in the <server-root>/config/exec-command-whitelist.txt file.
  • The global configuration must be updated to allow the exec task. The server does not permit it by default. The following command enables this.
    $ bin/dsconfig set-global-configuration-prop \
      --add allowed-task:com.unboundid.directory.server.tasks.ExecTask
  • The user scheduling the task must have the exec-task privilege. The server does not grant permission to run this task to any user by default, including root users.

The following configuration changes grant the exec-task privilege to a single root user, all root users, or a single non-root user:

  • To grant the exec-task privilege to a single root user, run the following.
    $ bin/dsconfig set-root-dn-user-prop --user-name "<username>" \
      --add privilege:exec-task
  • To grant the exec-task privilege to all root users, run the following.
    $ bin/dsconfig set-root-dn-prop \
      --add default-root-privilege-name:exec-task
  • To grant the exec-task privilege to a single non-root user, run the following.
    dn: <userdn>
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: exec-task
  • Use the schedule-exec-task tool to create an exec task from the command line.

    The following command schedules an exec task to run the verify-index tool to check the integrity of the cn index in the backend that hosts "dc=example,dc=com", assuming that the server is installed in /ds.

    $ bin/schedule-exec-task --hostname directory.example.com \
      --port 389 \
      --bindDN uid=admin,dc=example,dc=com \
      --promptForBindPassword \
      --waitForCompletion \
      --logCommandOutput \
      /ds/bin/verify-index --baseDN dc=example,dc=com --index cn