Provided by: python3-lib389_1.4.3.6-2_all 
NAME
dsctl
SYNOPSIS
dsctl [-h] [-v] [-j] [-l] [instance]
{restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-
nsstate} ...
OPTIONS
instance
The name of the instance to act upon
Sub-commands
dsctl restart
Restart an instance of Directory Server, if it is running: else start it.
dsctl start
Start an instance of Directory Server, if it is not currently running
dsctl stop
Stop an instance of Directory Server, if it is currently running
dsctl status
Check running status of an instance of Directory Server
dsctl remove
Destroy an instance of Directory Server, and remove all data.
dsctl db2index
Initialise a reindex of the server database. The server must be stopped for this to
proceed.
dsctl db2bak
Initialise a BDB backup of the database. The server must be stopped for this to
proceed.
dsctl db2ldif
Initialise an LDIF dump of the database. The server must be stopped for this to
proceed.
dsctl dbverify
Perform a db verification. You should only do this at direction of support
dsctl bak2db
Restore a BDB backup of the database. The server must be stopped for this to
proceed.
dsctl ldif2db
Restore an LDIF dump of the database. The server must be stopped for this to
proceed.
dsctl backups
List backup's found in the server's default backup directory
dsctl ldifs
List all the LDIF files located in the server's LDIF directory
dsctl tls
Manage TLS certificates
dsctl healthcheck
Run a healthcheck report on a local Directory Server instance. This is a safe and
read-only operation. Do not attempt to run this on a remote Directory Server as
this tool needs access to local resources, otherwise the report may be inaccurate.
dsctl get-nsstate
Get the replication nsState in a human readable format
Replica DN: The DN of the replication configuration entry Replica SUffix:
The replicated suffix Replica ID: The Replica identifier Gen Time
The time the CSN generator was created Gen Time String: The time string of
generator Gen as CSN: The generation CSN Local Offset: The offset
due to the local clock being set back Local Offset String: The offset in a nice
human format Remote Offset: The offset due to clock difference with remote
systems Remote Offset String: The offset in a nice human format Time Skew:
The time skew between this server and its replicas Time Skew String: The time
skew in a nice human format Seq Num: The number of multiple csns
within a second System Time: The local system time Diff in Seconds:
The time difference in seconds from the CSN generator creation to now Diff in
days/secs: The time difference broken up into days and seconds Endian:
Little/Big Endian
OPTIONS 'dsctl restart'
usage: dsctl [instance] restart [-h]
OPTIONS 'dsctl start'
usage: dsctl [instance] start [-h]
OPTIONS 'dsctl stop'
usage: dsctl [instance] stop [-h]
OPTIONS 'dsctl status'
usage: dsctl [instance] status [-h]
OPTIONS 'dsctl remove'
usage: dsctl [instance] remove [-h] [--do-it]
--do-it
By default we do a dry run. This actually initiates the removal of the
instance.
OPTIONS 'dsctl db2index'
usage: dsctl [instance] db2index [-h] backend
backend
The backend to reindex. IE userRoot
OPTIONS 'dsctl db2bak'
usage: dsctl [instance] db2bak [-h] [archive]
archive
The destination for the archive. This will be created during the db2bak
process.
OPTIONS 'dsctl db2ldif'
usage: dsctl [instance] db2ldif [-h] [--replication] [--encrypted]
backend [ldif]
backend
The backend to output as an LDIF. IE userRoot
ldif The path to the ldif output location.
--replication
Export replication information, suitable for importing on a new consumer or
backups.
--encrypted
Export encrypted attributes
OPTIONS 'dsctl dbverify'
usage: dsctl [instance] dbverify [-h] backend
backend
The backend to verify. IE userRoot
OPTIONS 'dsctl bak2db'
usage: dsctl [instance] bak2db [-h] archive
archive
The archive to restore. This will erase all current server databases.
OPTIONS 'dsctl ldif2db'
usage: dsctl [instance] ldif2db [-h] [--encrypted] backend ldif
backend
The backend to restore from an LDIF. IE userRoot
ldif The path to the ldif to import
--encrypted
Import encrypted attributes
OPTIONS 'dsctl backups'
usage: dsctl [instance] backups [-h] [--delete DELETE]
--delete DELETE
Delete backup directory
OPTIONS 'dsctl ldifs'
usage: dsctl [instance] ldifs [-h] [--delete DELETE]
--delete DELETE
Delete LDIF file
OPTIONS 'dsctl tls'
usage: dsctl [instance] tls [-h]
{list-ca,list-client-ca,show-server-cert,show-cert,generate-
server-cert-csr,import-client-ca,import-ca,import-server-cert,import-server-key-
cert,remove-cert}
...
Sub-commands
dsctl tls list-ca
list server certificate authorities including intermediates
dsctl tls list-client-ca
list client certificate authorities including intermediates
dsctl tls show-server-cert
Show the active server certificate that clients will see and verify
dsctl tls show-cert
Show a certificate's details referenced by it's nickname. This is analogous to
certutil -L -d <path> -n <nickname>
dsctl tls generate-server-cert-csr
Generate a Server-Cert certificate signing request - the csr is then submitted to a
CA for verification, and when signed you import with import-ca and import-server-
cert
dsctl tls import-client-ca
Import a CA trusted to issue user (client) certificates. This is part of how client
certificate authentication functions.
dsctl tls import-ca
Import a CA or intermediate CA for signing this servers certificates (aka Server-
Cert). You should import all the CA's in the chain as required.
dsctl tls import-server-cert
Import a new Server-Cert after the csr has been signed from a CA.
dsctl tls import-server-key-cert
Import a new key and Server-Cert after having been signed from a CA. This is used
if you have an external csr tool or a service like lets encrypt that generates PEM
keys externally.
dsctl tls remove-cert
Delete a certificate from this database. This will remove it from acting as a CA, a
client CA or the Server-Cert role.
OPTIONS 'dsctl tls list-ca'
usage: dsctl [instance] tls list-ca [-h]
OPTIONS 'dsctl tls list-client-ca'
usage: dsctl [instance] tls list-client-ca [-h]
OPTIONS 'dsctl tls show-server-cert'
usage: dsctl [instance] tls show-server-cert [-h]
OPTIONS 'dsctl tls show-cert'
usage: dsctl [instance] tls show-cert [-h] nickname
nickname
The nickname (friendly name) of the certificate to display
OPTIONS 'dsctl tls generate-server-cert-csr'
usage: dsctl [instance] tls generate-server-cert-csr [-h] [--subject SUBJECT]
[alt_names [alt_names ...]]
alt_names
Certificate requests subject alternative names. These are auto-detected if not
provided
--subject SUBJECT, -s SUBJECT
Certificate Subject field to use
OPTIONS 'dsctl tls import-client-ca'
usage: dsctl [instance] tls import-client-ca [-h] cert_path nickname
cert_path
The path to the x509 cert to import as a client trust root
nickname
The name of the certificate once imported
OPTIONS 'dsctl tls import-ca'
usage: dsctl [instance] tls import-ca [-h] cert_path nickname
cert_path
The path to the x509 cert to import as a server CA
nickname
The name of the certificate once imported
OPTIONS 'dsctl tls import-server-cert'
usage: dsctl [instance] tls import-server-cert [-h] cert_path
cert_path
The path to the x509 cert to import as Server-Cert
OPTIONS 'dsctl tls import-server-key-cert'
usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
cert_path
The path to the x509 cert to import as Server-Cert
key_path
The path to the x509 key to import associated to Server-Cert
OPTIONS 'dsctl tls remove-cert'
usage: dsctl [instance] tls remove-cert [-h] nickname
nickname
The name of the certificate to delete
OPTIONS 'dsctl healthcheck'
usage: dsctl [instance] healthcheck [-h]
OPTIONS 'dsctl get-nsstate'
usage: dsctl [instance] get-nsstate [-h] [--suffix SUFFIX] [--flip FLIP]
--suffix SUFFIX
The DN of the replication suffix to read the state from
--flip FLIP
Flip between Little/Big Endian, this might be required for certain
architectures
-v, --verbose
Display verbose operation tracing during command execution
-j, --json
Return result in JSON object
-l, --list
List available Directory Server instances
AUTHORS
lib389 was written by Red Hat Inc. <389-devel@lists.fedoraproject.org>.
DISTRIBUTION
The latest version of lib389 may be downloaded from
⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
Manual dsctl(8)