IBM Verify Directory: Server

This page documents the YAML schema which can be used to configure a Verify Directory Server container.

The value of each YAML key entry can be provided in the YAML file as either plain text, base-64 encoded text (prefix: 'B64:'), retrieved from an environment variable (prefix: '$'), loaded from a local file (prefix: '@'), retrieved from a Kubernetes secret (format: secret:{name}/{field}), or retrieved from a Kubernetes ConfigMap (format: configmap:{name}/{field}).

In addition to this, each of the YAML keys can also be provided as an environment variable, using a normalized value of the key name as the environment variable name. For example, to set the server port the following environment variable can be set: 'server.port'.

ℹ️ Click on section headers below to expand and view configuration details.

Configuration

advanced array

An array of objects which are used to define specific ibm-slapd properties to be set for the server.

📋 Array Items
attr array required

The attributes of the DN to modify.

📋 Array Items
name string required

The name of the attribute.

operation any

The LDAP operation which is to be performed on the attribute. The options include:
- replace: Replace any existing attribute value with the new value.
- add: Add the additional value to the attribute.
- delete: Delete the specified attribute and value.
Please note that the value is case sensitive.

Default: replace
Allowed values:
replace add delete
values array required

The string value(s) of the property. Please note that if the value is numeric it should be surrounded by quotes.

📋 Array Items
Type: string
dn string required

The DN of the property.

Examples:
Example 1
advanced:
- dn: cn=Configuration
  attr:
  - name: ibm-slapdTimeLimit
    values:
    - '900'

debug object

The configuration entries which can be used to enable debugging within the container.

⚙️ Properties
startup boolean

A boolean which is used to indicate whether debugging should be
enabled while bootstrapping the container.

Default: False
runtime number

Specifies the debug level to assign to the runtime. The value is a bit mask that controls which output is generated, with values from 1 to 65535.

Default: 0
Validation Constraints:
• Minimum: 0
• Maximum: 65535

general object

The general configuration elements of the container.

⚙️ Properties
admin object required

The credential information of the server.

⚙️ Properties
dn string

The distinguished name of the user which can be used to authenticate to the server.

Default: cn=root
pwd string required

The password of the user which can be used to authenticate to the server.

users array

Additional administrative users for this server.

📋 Array Items
cn string required

The common name of the user.

pwd string required

The password of the user. This password must conform to the configured password policy.

role any required

The role assigned to the user. Refer to the official documentation for the permissions assigned to each role. Please note that the value is case sensitive.

Allowed values:
AuditAdmin DirDataAdmin NoAdmin PasswordAdmin ReplicationAdmin SchemaAdmin ServerConfigGroupMember

audit object

The configuration entries associated with the auditing of operations.

⚙️ Properties
enabled boolean

Enable or disable the audit service.

Default: False
log-to-file boolean

If enabled, the audit records will be sent to the '/var/isvd/logs/audit.log' file, otherwise the audit records will be sent to the console of the container.

Default: False
json-format boolean

If enabled, the audit records will be formatted as JSON, otherwise the audit records will created in the legacy auditing format.

Default: True
failure-only boolean

Specifies whether to log all failures.

Default: True
groups-control boolean

Specifies whether to log the groups sent on a group control.

Default: False
group-eval boolean

Specifies whether to log the attributes sent on a group evaluation extended operation.

Default: False
performance boolean

Specifies whether to collect and log performance data in audit logs.

Default: False
pta-bind-info boolean

Specifies whether to log pass-through authentication information related to bind operations.

Default: True
operation object

The operations which can be audited.

⚙️ Properties
add boolean

Specifies whether to log the Add operation.

Default: False
bind boolean

Specifies whether to log the Bind operation.

Default: True
compare boolean

Specifies whether to log the Compare operation.

Default: False
delete boolean

Specifies whether to log the Delete operation.

Default: False
extended-op boolean

Specifies whether to log the Extended operation.

Default: False
extended-op-event boolean

Specifies whether to log the Extended operation event.

Default: False
modify boolean

Specifies whether to log the Modify operation.

Default: False
modify-dn boolean

Specifies whether to log the ModifyRDN operation.

Default: False
search boolean

Specifies whether to log the Search operation.

Default: False
unbind boolean

Specifies whether to log the Unbind operation.

Default: True
Examples:
Example 1
general:
  audit:
    enabled: true
    log-to-file: false
    json-format: true
    failure-only: true
    groups-control: true
    performance: true
    pta-bind-info: true
    operation:
      add: true
      group-eval: true
      bind: true
      compare: true
      delete: true
      extended-op: true
      extended-op-event: true
      modify: true
      modify-dn: true
      search: true
      unbind: true
id string

The identifier of the server. If no identifier is specified the hostname of the container will be used as the identifier.

json-logging boolean

Whether the logging and auditing messages should be formatted in JSON or not.

Default: True
key-stash string

The contents of the key stash file (.ksf) which is used to protect data. This file should be provided if cryptographic synchronisation is required between different servers. The key stash can either be obtained from a software based directory server installation, or a new one can be generated by starting this image with the 'keystash' argument. For example: 'docker run --rm icr.io/isvd/verify-directory-seed:latest keystash'. Please note that this will send a base-64 encoded version of the key stash to the console of the container.

license object required
⚙️ Properties
key string required

The license key, required to run the container.

accept string required

Which license agreement has been accepted, either 'limited' or 'standard' or 'enterprise'. To display a license agreement start the container with the 'license' command, for example: 'docker run --rm icr.io/isvd/verify-directory-server:latest license standard'

Allowed values:
limited standard enterprise
ports object

The ports on which the server will listen for requests.

⚙️ Properties
ldap integer

The port on which the server will listen for LDAP requests. A value of '0' is used to indicate that the server should not listen for LDAP requests. Please note that the server can listen on ports lower than 1024, but in order to do so the container infrastructure must grant the container the necessary permissions.

Default: 0
ldaps integer

The port on which the server will listen for LDAPS requests. A value of '0' is used to indicate that the server should not listen for LDAPS requests. Please note that the server can listen on ports lower than 1024, but in order to do so the container infrastructure must grant the container the necessary permissions.

Default: 9636
pwd-encryption string

The encoding mechanism for the user passwords before they are stored in the directory. Please note that the value is case sensitive.

Default: ssha512
Allowed values:
none aes128 aes192 aes256 crypt sha ssha md5 sha224 sha256 sha384 sha512 ssha224 ssha256 ssha384 ssha512 pbkdf2-sha1 pbkdf2-sha224 pbkdf2-sha256 pbkdf2-sha384 pbkdf2-sha512 scrypt argon2

pwd-policy object

The configuration entries associated with the password policy which is enforced by the server.

⚙️ Properties
enabled boolean

Indicates if the IBM Administrative Password Policy is ON.

Default: True
failure-count-interval number

Specifies the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.

Default: 0
lockout boolean

Enables replication of security attributes between master and read-only replica so that password policy for account lockout can be strongly enforced in replication topologies.

Default: True
lock-duration number

Specifies the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts.

Default: 300
max-consecutive-repeated-chars number

Specifies the maximum number of consecutive repeated characters in the password field.

Default: 2
max-failures number

Specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate.

Default: 10
max-repeated-chars number

Specifies the maximum number of repeated characters allowed.

Default: 2
min-alpha-chars number

Specifies the minimum number of characters required for a users password.

Default: 2
min-diff-chars number

Specifies the minimum number of different (unique) characters required for a users password.

Default: 2
min-length number

Specifies the minimum number of characters that must be used in a password.

Default: 8
min-other-chars number

Specifies the minimum number of other characters required.

Default: 2
advanced object

The configuration entries associated with rules for advanced password syntax checking.

⚙️ Properties
no-spaces boolean

Specifies whether the password can contain spaces.

no-user-id boolean

Specifies that the password cannot be the same, or contain the value of the configured login attribute. The login attribute is configured by using the login-attribute configuration entry. It is set to the name of the LDAP attribute, such as UID that is used as the user ID attribute for users. Note: Enabling this rule might have a performance impact on the user password update operation. To process this rule, an internal search is done on the user to obtain the value of the login attribute. It then checks whether the specified password is the same, or contains the value of the login attribute.

login-attribute string

The name of the attribute which contains the user identity. This is used by the no-user-id rule.

min-special-chars number

Specifies the minimum number of special characters that a password must contain.

min-numeric-chars number

Specifies the minimum number of numeric characters that a password must contain.

min-lowercase-chars number

Specifies the minimum number of lowercase characters that a password must contain.

min-uppercase-chars number

Specifies the minimum number of uppercase characters that a password must contain.

max-asc-chars number

Specifies the maximum number of ascending characters that a password can contain. The characters can be alphabetic or numeric.

max-dsc-chars number

Specifies the maximum number of descending characters that a password can contain. The characters can be alphabetic or numeric.

custom-policy-script string

Specifies a custom password policy written in the Lua scripting language.

Examples:
Example 1
general:
  pwd-policy:
    enabled: true
    lockout: false
    lock-duration: 1800
    max-failures: 5
    min-length: 5
    failure-count-interval: 0
    max-consecutive-repeated-chars: 2
    max-repeated-chars: 2
    min-alpha-chars: 2
    min-diff-chars: 2
    min-other-chars: 2

schemas array

Any additional schema files (.ot or .at) which will be added to the server. The schema files specified here can also be used to replace the IBM Verify Directory standard schema files. Please note however that if you supply a schema file in the YAML this schema should not be subsequently modified using an LDAP modify operation, otherwise the updates will be lost when the container next starts.

📋 Array Items
Type: string

The name of a schema file (.ot or .at). The file must exist within the container file system.

Examples:
Example 1
general:
  schemas:
  - /volume/data/custom.at
  - /volume/data/custom.oc
  - /volume/data/V3.ibm.at
ssl object

SSL configuration details for the server.

⚙️ Properties
auth string

The authentication type for the ssl connection. The options include:
- ServerAuth: Supports server authentication at the client.
- ServerClientAuth: Supports both server and client authentication.
Please note that the value is case sensitive.

Default: ServerAuth
Allowed values:
ServerAuth ServerClientAuth
cert-label string

The label that identifies the servers Personal Certificate in the key database file. If the field is not specified the default certificate from the key file will be used by the LDAP server for SSL connections.

ciphers array

The allowable encryption/decryption methods for establishing a SSL connection between LDAP client(s) and server. Please note that the value is case sensitive.

📋 Array Items
Type: string
protocols array

The SSL or TLS protocol versions to enable for the connection. The options include: - SSLV3: Secure Sockets Layer version 3.0. - TLS10: Transport Layer Security version 1.0. - TLS11: Transport Layer Security version 1.1. - TLS12: Transport Layer Security version 1.2. - TLS13: Transport Layer Security version 1.3. Please note that the value is case sensitive.

📋 Array Items
Type: string
fips boolean

Should the server operate in FIPS process mode?

Default: False
fips-fallback boolean

The non-FIPS certified crypographic library is loaded as a secondary backup and is used if a requested algorithm is not contained in the certified library. This configuration option is ignored if the 'general.ssl.fips' configuration entry has not been set to 'true'.

Default: False
Examples:
Example 1
general:
  license:
    key: VGVzdDotMTowOjCCAaQG...
    accept: standard
  id: test.ibm.com
  admin:
    pwd: passw0rd1
  ports:
    ldap: 0
    ldaps: 9636

keyfile object

The configuration elements associated with the SSL key file. This will include any keys used by the server, along with any trusted certificates. A self-signed certificate will be created as the default certificate in the key file, with the label: 'self-signed-server'.

⚙️ Properties
keys array

Any private keys used by the server. The private key and associated certificate should be combined into a single configuration entry in PEM format, and the private key should not be protected by a password. By way of example, to create a private key using OpenSSL the following command can be executed:
'openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365`

The key and certificate can then be concatenated into a single file.

If this key is to be used as the main certificate served by the server the general.ssl.cert-label configuration entry must be set to the name of the label for the key.

📋 Array Items
key string required

The PEM encoded private key and public certificate.

label string required

The label which will be associated with this key.

trusted-certificates array

Any certificates which should be trusted by the server, in PEM format.

📋 Array Items
Type: string

A certificate which is to be trusted by the server, in PEM format.

Examples:
Example 1
keyfile:
  keys:
  - label: server-key
    key: '@/var/data/key.pem'
  trusted-certificates:
  - '@/var/data/ca_cert.pem'

server object

The configuration entries associated with the IVD server.

⚙️ Properties

suffixes array

The suffixes which will be hosted by this server.

📋 Array Items
dn string required

The DN of the suffix.

object-classes array

The object classes which are used in the top level LDAP entry for this suffix. If no object classes are specified the top level LDAP entry for this suffix must be created manually. Please note that after the top level LDAP entry has been created it will not be modified if the YAML is modified. Any subsequent updates to the top level LDAP entry must be manually applied.

📋 Array Items
Type: string
attributes array

Any attributes, in addition to the attributes defined in the RDN, which should be set on the top level LDAP entry for this suffix. Please note that after the top level LDAP entry has been created it will not be modified if the YAML is modified. Any subsequent updates to the top level LDAP entry must be manually applied.

📋 Array Items
Type: string
Examples:
Example 1
server:
  suffixes:
  - dn: o=ibm,c=us
    object-classes:
    - organization
    - country
    attributes:
    - c=us
  - dn: o=sample

change-log object

The configuration entries associated with the change log capability of the server. The change log records all the directory updates in a change log database. When you enable the change log, it significantly slows down the update performance of a directory server.

⚙️ Properties
enabled boolean

A boolean which is used to indicate whether the change log functionality is enabled or not.

Default: False
max-entries number

Specifies the maximum number of entries to keep in the change log. A value of 0 means there is no limit on the number of entries.

Default: 1000000
max-days number

Specifies, in days, the maximum amount of time to keep entries in the change log. This is combined with the max-hours entry to specify the maximum age of a change log entry. A value of 0 means that there is no age limit on entries in the change log.

Default: 0
max-hours number

Specifies, in hours, the maximum amount of time to keep entries in the change log. This is combined with the max-days entry to specify the maximum age of a change log entry. A value of 0 means that there is no age limit on enries in the change log.

Default: 0
Examples:
Example 1
server:
  change-log:
    enabled: true
    max-entries: 99999
    max-days: 55
    max-hours: 12

replication object

The configuration entries associated with the replication supplier characteristics.

⚙️ Properties
enable-conflict-resolution-for-groups boolean

Specifies whether replication conflict resolution will be performed for group entries or not.

Default: False
restricted-access boolean

Used to control access to the replication topology entry. If it is set to true, then only the root admin, local admin group members and the master DN have access to the replication topology entry, otherwise, any user with proper ACL settings may have access to the replication topology entry.

Default: False
log-members boolean

If true, member information will be logged in the lost and found log for group entries involved in a replication conflict.

Default: True
max-pending-changes-displayed number

The maximum number of pending replication updates or failed updates to be displayed for any given replication agreement on a supplier server.

Default: 200
context-cache-size number

The maximum number of updates to retain in the replication context cache.

Default: 100000
max-errors number

The limit for allowed errors per replication agreement. A value of 0 means unlimited errors.

Default: 0
admin object

The credential information used when replicating.

⚙️ Properties
dn string

The DN of the master server.

Default: cn=replcred
pwd string required

The password of the master server.

no-conflict-resolution boolean

Specifies whether or not the directory server will handle replication conflict resolution. If it is set to true, then the server does not try to compare timestamps for replicated entries in an attempt to resolve conflicts between the entries. However, conflict resolution does not apply to entry cn=schema which is always replaced by a replicated cn=schema.

Default: True
users array

Additional pre-suffix replication users for this server.

📋 Array Items
dn string required

The DN of the user.

pwd string required

The password of the user. This password must conform to the configured password policy.

suffix any required

A DN identifying the top of a replicated subtree.

Examples:
Example 1
server:
  replication:
    enable-conflict-resolution-for-groups: false
    restricted-access: true
    log-members: true
    max-pending-changes-displayed: 200
    context-cache-size: 100000
    max-errors: 0
    admin:
      dn: cn=replcred
      pwd: passw0rd
      no-conflict-resolution: true
      users:
      - dn: cn=replcred1
        pwd: passw0rd
        suffix: o=sample

pass-through-authentication array

The configuration entries associated with the pass-through authentication capability of the server. The pass-through mechanism authenticates a user on the authenticating server, even if the user entry or password is on a different server. Please note that this capability is only available with a standard or enterprise license.

📋 Array Items
url string required

Specifies the LDAP URL of a pass-through authentication server. This must be in the form 'ldap://' or 'ldaps://' (to indicate SSL use ldaps) with the port number on which the pass-through directory is configured.

subtree array required

The subtrees in the directory server instance that is configured for pass-through authentication and validation of the authentication request.

📋 Array Items
Type: string
result-timeout number

The maximum number of milliseconds that the pass-through authentication interface waits for a response from the pass-through server.

Default: 1000
migrate-pwd boolean

Whether to store the user password in the local directory entry, if the authentication is successful.

Default: False
connection-pool-size number

Sets the number of connections for each pass-through server.

Default: 4
Validation Constraints:
• Minimum: 2
• Maximum: 15
server-type string

Specifies the type of pass-through authentication server.

Default: SecurityDirectoryServer
Allowed values:
ActiveDirectory SecurityDirectoryServer
attribute-mapping object
⚙️ Properties
search-base string required

The search base in the pass-through server where you want to search for the entry.

mapping string required

The mapping of an attribute in IBM Verify Directory to an attribute in the pass-through server. An example of attribute mapping is 'cn $ uid', which indicates that the cn attribute from IBM Verify Directory is mapped to the uid attribute in the pass-through server.

bind-dn string required

The bind DN that will be used to bind to the pass-through directory when searching for the mapped entry DN.

bind-pwd string required

The bind password that will be used to bind to the pass-through directory when searching for the mapped entry DN.

linking-attribute object
⚙️ Properties
name string required

The name of the mapping attribute in the pass-through server. For example: 'empNo'.

value string required

The value that must be used with the linking attribute to search the pass-through server.

Examples:
Example 1
server:
  pass-through-authentication:
  - url: ldaps://ldap.ibm.com
    subtree:
    - o=sample
enable-last-auth-timestamp boolean

If true, the time stamp that corresponds to the last successful authentication for a user is recorded. The time stamp will be recorded for users in all suffixes.

Default: False
Examples:
Example 1
server:
  suffixes:
  - attributes:
    - c=us
    dn: o=ibm,c=us
    object-classes:
    - organization
    - country
  - dn: o=sample

Examples

Example 1
general:
  admin:
    pwd: $PASSWORD
    user-dn: cn=root
  id: instance1
  license:
    key: VGVzdDotMTowOjCCAaQG...
    accept: standard
  ports:
    ldap: 389
    ldaps: 636
  ssl:
    cert-label: server-key
server:
  suffixes:
  - attributes:
    - c=us
    dn: o=ibm,c=us
    object-classes:
    - organization
    - country
  - dn: o=sample
keyfile:
  keys:
  - key: '@/var/data/key.pem'
    label: server-key
advanced:
- attr:
  - name: ibm-slapdTimeLimit
    values:
    - 900
  dn: cn=Configuration
Copyright IBM Corp. 2026