<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2012 ForgeRock AS
! Portions Copyright 2013 Jens Elkner
-->
xsi:schemaLocation="http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refmeta>
<refentrytitle><application>opendj</application></refentrytitle>
</refmeta>
<refnamediv>
<refname><application>opendj</application></refname>
<refpurpose
>a high-performance, highly-extensible, LDAPv3 compliant directory server</refpurpose>
</refnamediv>
<refsection>
<title>Description</title>
<para>
OpenDJ is a high-performance, highly-extensible, pure Java directory server. The
server is fully compliant with the LDAPv3 standard, and passes all of the
compliance, interoperability and security tests suites. The directory server
implements most of the standard and experimental LDAP extensions defined in the
IETF as RFCs or Internet-Drafts, ensuring maximum interoperability with LDAP
client applications.
</para>
<para>
The OpenDJ software includes a rich set of APIs making the directory
server easy to extend. The directory server supports a loosely consistent
multi-master replication model that guarantees high availability of data for
all operations, searches or updates. While theoretically unlimited with regard
to the number of masters, the directory server has been stressed under heavy
and durable load with four masters.
</para>
<para>
The OpenDJ software includes:
<itemizedlist>
<listitem>
<para>
A graphical installation tool (QuickSetup) that enables you
to have a server configured, and up and running in less than 3 minutes.
</para>
</listitem>
<listitem>
<para>
A graphical control panel <citerefentry><refentrytitle
xpointer='xpointer(//manvolnum[@name="v1m"])'/></citerefentry> that displays
server status information and enables you to perform basic directory server
administration.
</para>
</listitem>
<listitem>
<para>
A rich set of command-line utilities to perform all online administrative tasks
both interactively and scripted.
</para>
</listitem>
<listitem>
<para>
Advanced security and password policies.
</para>
</listitem>
<listitem>
<para>
Advanced backup and restore capabilities.
</para>
</listitem>
<listitem>
<para>
</para>
</listitem>
<listitem>
<para>
Full integration into the Solaris Service Management Facilities (SMF) and
Role-Based Access Management (RBAC) system (see <citerefentry>
<refentrytitle>smf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>rbac</refentrytitle><manvolnum
>5</manvolnum></citerefentry>).
</para>
</listitem>
</itemizedlist>
</para>
<note>
<para>
The default settings for the directory server are targeted at the initial
evaluator or developer, running on a zone with a limited amount of resources.
To scale the server, it is important to do initial tuning of the Java VM and of
the server itself.
</para>
</note>
<para>
Support for OpenDJ is available from ForgeRock. More information can be found at
</para>
</refsection>
<refsection>
<title>Usage</title>
<para>
The OpenDJ software allows one to run one or more LADP server instances within
the same zone or machine, whereby each instance requires its own dedicated
directory to store the instance specific data like server runtime configuration, schemas,
certificates and keys, etc.. That's why this directory is usually referred as
<emphasis>instance data directory</emphasis> or <emphasis>instance directory</emphasis>.
</para>
<para>
The software allows only the owner of the instance directory (default:
<option>ldapd</option>:<option>ldapd</option> for system services) to actually
run the related OpenDJ server instance or exectute any related OpenDJ tools or
utilities.
</para>
<para>
To allow other users to use OpenDJ tools and utilities against system service
instances without doing a <citerefentry><refentrytitle
xpointer='xpointer(//manvolnum[@name="v1m"])'/></citerefentry> to become that
user every time, the SVR4 aka Solaris package installs an RBAC profile named
"OpenDJ Admin". Any user, which has this profile assigned (see <citerefentry
><refentrytitle>usermod</refentrytitle><manvolnum
>1M</manvolnum></citerefentry>), is able to execute OpenDJ tools and utilities
directly (if the running shell is a pf* shell like pfksh, pftcsh) or by prefixing
the command in question with <command>pfexec</command> - the operating system
will automatically change the uid:gid of the process and its children to
ldapd:ldapd.
</para>
<para>
When the OpenDJ SVR4 aka Solaris package gets installed, a default SMF service
for a single OpenDJ server instance (also referred as the <emphasis
>default instance</emphasis>) gets installed as well: <systemitem
has the "OpenDJ Admin" profile assigned, has also the permission to manage this
service or change its properties). However, this service is initially disabled,
because one needs to <citerefentry><refentrytitle
xpointer='xpointer(//manvolnum[@name="v1m"])'/></citerefentry> the associated
OpenDJ server instance first.
</para>
<important>
<para>
Note that all OpenDJ tools and utilities use the value of the environment
variable <varname>INSTANCE_ROOT</varname> as the path of the instance directory
to use. If this variable is not set or empty, and the executing user is not
<constant>ldapd</constant> (or a user with "OpenDJ Admin" privileges), it
defaults to <varname>$HOME</varname><filename class="directory">/opendj</filename>.
Otherwise, on non-OpenSolaris based systems, it defaults to <filename class="directory"
initialized to the value of the service property <constant
<varname>SMF_FMRI</varname>. If this variable is not set, the default service
corresponding value.
</para>
</important>
<para>
To setup a new OpenDJ instance and if the defaults are inappropriate for the
intended environment, one needs to create the instance directory, possibly change
its owner, and on OpenSolaris based system set the <varname>SMF_FMRI</varname>
variable to the name of the related SMF service and change its <constant
non-OpenSolaris based system set the <varname>INSTANCE_ROOT</varname> variable
to the corresponding directory name instead.
</para>
<para>
Finally run OpenDJ's
xpointer='xpointer(//manvolnum[@name="v1m"])'/></citerefentry> utility to
initialize/configure the OpenDJ with the required values - the command line
variant (use option <option>--cli</option>) is recommended. As mentioned above,
on OpenSolaris based systems it must be run either by an user having the
"OpenDJ Admin" profile assigned, or the user owning the instance data directory
if you are going to configure a system service (i.e. which gets automatically
</para>
<para>
the <citerefentry><refentrytitle>svcadm</refentrytitle><manvolnum
>1M</manvolnum></citerefentry> command as for any other service on OpenSolaris
based systems. On non-OpenSolaris based system one may use the <citerefentry
><refentrytitle>create-rc-script</refentrytitle><manvolnum
>8</manvolnum></citerefentry> utility to create a service run control script in
an appropriate place and enable it using the distribution dependend command.
</para>
<para>
For your convinience, every OpenDJ tool which supports the option
<option>--propertiesFilePath</option>, will look for
does not exist, for
to obtain default parameters to use, unless a file was explicitly specified via
the mentioned option. Default in this context means, command line arguments take
precendence over the settings obtained from the properties file (if any). If you
don't want the tools to try using these files, just add the option
<option>--noPropertiesFile</option> when the comamnd gets launched. The format
of the file and honored properties are described in the
itself.
</para>
</refsection>
<refsection>
<title>Examples</title>
<para>
Within the following examples, a hash prompt (# ) denotes commands executed by
the user root, a dollar prompt ($ ) denotes a command executed by a user, which
has the "OpenDJ Admin" profile assigned and is running a pfksh93. All examples
assume, that OpenDJ software has been installed into the directory <filename
class="directory">/opt</filename> and that the user (or role) ldapd owns the
related instance data directory. Remember, if a user doesn't use a profile shell
like pf*sh, he needs explicitly run all commands using pfexec infront of it.
</para>
<informalexample >
<para>
<markup>Example 1</markup>: Create an OpenDJ admin user named vala which has
the "OpenDJ Admin" profile assigned:
</para>
<literallayout><prompt
-c 'Claudia Mal Doran' \
</informalexample>
<informalexample>
<para>
<markup>Example 2</markup>: Check which profiles you have:
</para>
<literallayout><prompt
>$ </prompt><command>profiles</command></literallayout>
<screen>
OpenDJ Admin
Basic Solaris User
All
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 3</markup>: Check which authorizations you have:
</para>
<literallayout><prompt
>$ </prompt><command>auths</command></literallayout>
<screen>
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 4</markup>: Prepare the instance directory for the default
</para>
<literallayout><prompt
<prompt># </prompt><command>exit</command>
<prompt>$ </prompt><command
</informalexample>
<informalexample>
<para>
<markup>Example 5</markup>: Initialize the default OpenDJ server instance using
the CLI version of setup. Note that we choose to not start the server
automatically after setup (because we want SMF to manage it) and to use the
Java Key Store (which is the default one):
</para>
<literallayout><prompt
--baseDN dc=example,dc=com \
--addBaseEntry \
--ldapPort 389 \
--enableStartTLS \
--ldapsPort 636 \
--adminConnectorPort 4444 \
--rootUserDN 'cn=Directory Manager' \
--rootUserPassword mySecretPassword \
--generateSelfSignedCertificate \
--hostName ldap.example.com \
--no-prompt \
--noPropertiesFile \
--doNotStart</command></literallayout>
<screen>
OpenDJ @VERS_FULL@
Please wait while the setup program initializes...
of this operation.
Configuring Directory Server ..... Done.
Configuring Certificates ..... Done.
Creating Base Entry dc=example,dc=com ..... Done.
To see basic server configuration status and configuration you can \
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 6</markup>: Adjust the JVM parameter and arguments for the
OpenDJ utilities (the success message is a little bit imprecise. It should
actually say "OpenDJ" instead of "server" commands):
</para>
<literallayout><prompt
<prompt>$ </prompt><command
</literallayout>
<screen>
The operation was successful. The server commands will use \
the java arguments and java home specified in the properties \
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 7</markup>: Instruct SMF to start the default OpenDJ instance
now (and every time, the zone gets rebooted - as well as to stop the server,
when the zone is going down):
</para>
<literallayout><prompt
>$ </prompt><command>svcadm enable opendj@VERS@:default</command></literallayout>
</informalexample>
<informalexample>
<para>
<markup>Example 8</markup>: Check the state of the service:
</para>
<literallayout><prompt
>$ </prompt><command>svcs -l opendj@VERS@:default</command></literallayout>
<screen>
name OpenDJ LDAP directory server
enabled true
state online
next_state none
state_time Mon Apr 22 09:28:19 2013
contract_id 5037
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 9</markup>: Check the state of the OpenDJ server instance:
</para>
<literallayout><prompt
-w mySecretPassword</command></literallayout>
<screen>
--- Server Status ---
Server Run Status: Started
Open Connections: 1
--- Server Details ---
Host Name: ldap.example.com
Administrative Users: cn=Directory Manager
Version: @PRODUCT@
Java Version: 1.7.0_17
Administration Connector: Port 4444 (LDAPS)
--- Connection Handlers ---
Address:Port : Protocol : State
-------------:------------------------:---------
-- : LDIF : Disabled
0.0.0.0:161 : SNMP : Disabled
0.0.0.0:389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:636 : LDAPS : Enabled
0.0.0.0:1689 : JMX : Disabled
--- Data Sources ---
Base DN: dc=example,dc=com
Backend ID: userRoot
Entries: 1
Replication: Disabled
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 10</markup>: An example for <filename
</para>
port=389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com
ldapcompare.port=389
ldapdelete.port=389
ldapmodify.port=389
ldapsearch.port=389
</programlisting>
</informalexample>
<informalexample>
<para>
<markup>Example 11</markup>: Check the contents of the admin key store (you
can do this as user ldapd as well):
</para>
<literallayout><prompt
># </prompt><command>keytool -list -v \
<screen>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: admin-cert
Creation date: 21.04.2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ldap.example.com, O=Administration Connector Self-Signed Certificate
Issuer: CN=ldap.exampl.com, O=Administration Connector Self-Signed Certificate
Serial number: 4a50ad15
Valid from: Sun Apr 21 09:51:35 CEST 2013 until: Tue Apr 21 09:51:35 CEST 2015
Certificate fingerprints:
MD5: 00:A7:BC:FC:1E:FA:DC:0C:CF:F6:9A:F7:58:26:42:EC
SHA1: D0:55:04:A2:13:48:29:DE:CA:32:8E:DF:CD:55:3F:80:C5:AB:D7:DF
SHA256: FF:66:A1:D0:C8:CB:A3:2E:94:3C:40:20:B9:07:65:31:97:80:90:7B:3D:69:66:B2:ED:6E:FF:05:90:AD:8C:98
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 12</markup>: Check the contents of the admin trust store (you
can do this as user ldapd as well):
</para>
<literallayout><prompt
># </prompt><command>keytool -list -v \
<screen>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: admin-cert
Creation date: 21.04.2013
Entry type: trustedCertEntry
Owner: CN=ldap.example.com, O=Administration Connector Self-Signed Certificate
Issuer: CN=ldap.example.com, O=Administration Connector Self-Signed Certificate
Serial number: 4a50ad15
Valid from: Sun Apr 21 09:51:35 CEST 2013 until: Tue Apr 21 09:51:35 CEST 2015
Certificate fingerprints:
MD5: 00:A7:BC:FC:1E:FA:DC:0C:CF:F6:9A:F7:58:26:42:EC
SHA1: D0:55:04:A2:13:48:29:DE:CA:32:8E:DF:CD:55:3F:80:C5:AB:D7:DF
SHA256: FF:66:A1:D0:C8:CB:A3:2E:94:3C:40:20:B9:07:65:31:97:80:90:7B:3D:69:66:B2:ED:6E:FF:05:90:AD:8C:98
Signature algorithm name: SHA1withRSA
Version: 3
</screen>
</informalexample>
<informalexample>
<para>
<markup>Example 13</markup>: Check the contents of the trust store used wrt.
replication (you can do this as user ldapd as well):
</para>
<literallayout><prompt
># </prompt><command>keytool -list -v \
<screen>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: ea2f4b92885143d7f314f84440de01b7
Creation date: 21.04.2013
Entry type: trustedCertEntry
Owner: CN=ldap.example.com, O=OpenDJ Certificate
Issuer: CN=ldap.example.com, O=OpenDJ Certificate
Serial number: 46d0e045
Valid from: Sun Apr 21 09:51:36 CEST 2013 until: Sat Apr 16 09:51:36 CEST 2033
Certificate fingerprints:
MD5: EA:2F:4B:92:88:51:43:D7:F3:14:F8:44:40:DE:01:B7
SHA1: 1F:7D:5F:76:D7:AA:1F:F6:0E:E9:EC:EF:BA:9D:BF:D6:2E:AC:32:D8
SHA256: 3D:87:1A:B5:5B:13:DF:CF:AA:5D:DC:C7:34:0E:92:E3:60:51:EA:92:36:EF:B4:59:14:A8:38:05:FD:25:CC:45
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Alias name: ads-certificate
Creation date: 21.04.2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ldap.example.com, O=OpenDJ Certificate
Issuer: CN=ldap.example.com, O=OpenDJ Certificate
Serial number: 46d0e045
Valid from: Sun Apr 21 09:51:36 CEST 2013 until: Sat Apr 16 09:51:36 CEST 2033
Certificate fingerprints:
MD5: EA:2F:4B:92:88:51:43:D7:F3:14:F8:44:40:DE:01:B7
SHA1: 1F:7D:5F:76:D7:AA:1F:F6:0E:E9:EC:EF:BA:9D:BF:D6:2E:AC:32:D8
SHA256: 3D:87:1A:B5:5B:13:DF:CF:AA:5D:DC:C7:34:0E:92:E3:60:51:EA:92:36:EF:B4:59:14:A8:38:05:FD:25:CC:45
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
</screen>
</informalexample>
<informalexample>
<para>
<markup>Exampe 14</markup>: Create a new OpenDJ service and setup the
instance (since not specified, it will use the default instance data directory
</para>
<literallayout><prompt
</literallayout>
</informalexample>
</refsection>
<refsection>
<title>Environment Variables</title>
<variablelist>
<varlistentry>
<term>SMF_FMRI</term>
<listitem>
<para>
OpenSolaris based OS, only: Contains the SMF Fault Management Resource
Identifier of the SMF service to use to obtain the name of the instance data
used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INSTANCE_ROOT</term>
<listitem>
<para>
This variable should not explicitly set: it will be set to the value of the
(see SMF_FMRI above). However, if it is set, the service $SMF_FMRI gets not
queried for the mentioned property and thus can bee seen as an overwrite of
the instance data directory to be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INSTALL_ROOT</term>
<listitem>
<para>
Gets set by the OpenDJ tools internally and refers to the installation directory
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPENDJ_JAVA_BIN</term>
<listitem>
<para>
The name of the java VM executable to use. If not set, it gets determined
automatically. NOTE: Usually one should <emphasis>not</emphasis> set it
explicitly but use <varname>$INSTANCE_ROOT</varname><filename
may even overrule, i.e. reset the value of this variable. See
<citerefentry><refentrytitle>dsjavaproperties</refentrytitle><xi:include
for more information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>JAVA_BIN</term>
<listitem>
<para>
Used as fallback for OPENDJ_JAVA_BIN (same note applies).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPENDJ_JAVA_HOME</term>
<listitem>
<para>
Used as fallback to find the Java VM executable to use. Same note as for
OPENDJ_JAVA_BIN applies.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>JAVA_HOME</term>
<listitem>
<para>
Used as fallback to find the Java VM executable to use. Same note as for
OPENDJ_JAVA_BIN applies.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Files</title>
<variablelist>
<varlistentry>
<listitem>
<para>
The default OpenDJ install directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
The default OpenDJ server instance data directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
A Java properties file with default parameter settings to use, when a command,
that supports the option <option>--propertiesFilePath</option> gets launched
without the option <option>--noPropertiesFile</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
A Java properties file with default parameter settings to use, when a command,
that supports the option <option>--propertiesFilePath</option> gets launched
without the option <option>--noPropertiesFile</option> and there is no
tools.properties file in the user's
<varname>$HOME</varname><filename>/.opendj/</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
A tools.properties example incl. documentation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
A Java properties file used by <citerefentry><refentrytitle
xpointer='xpointer(//manvolnum[@name="v1m"])'/></citerefentry> to define the
default JVM executable and arguments to be used by OpenDJ tools.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
A java.properties example incl. documentation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname>/db</term>
<listitem>
<para>
Directory where the embedded Java Berkeley DB stores its files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
Directory containing LDIF templates incl. an example. See <citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/></citerefentry> for more
information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
The default Java Key Store (JKS) containing SSL [CA] certificate(s), which
should be used to determine, whether to trust a certificate sent by a client
certificate which is included in this store or is signed by an instance (or one
of its descendants) represented by a certificate in the truststore, the server
accepts the client certificate and checks its contents to do further
validation. So if you are using self-signed certificates, they need to be
included here as well.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
The default Java Key Store (JKS) containing SSL certificate(s) used by the
server itself for authentication/authorization for HTTP, JMX and LDAP based
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
<varname>$INSTANCE_ROOT</varname><filename>/config/keystore.p12</filename> and the PKCS#11 keystore, if they are used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
Same as <filename>truststore</filename>, but for admin port related connections, only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
Same as the <filename>keystore</filename>, but for admin port related connections, only. Per default OpenDJ will use the certificate with the alias "admin-cert".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
Same as <filename>truststore</filename>, but for replication related connections, only. In contrast to the others, OpenDJ uses no separate keystore for its own certificate (per default alias "ads-certificate") and private key to use. So they need to be put into this keystore as well.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>$INSTANCE_ROOT</varname><filename
<listitem>
<para>
</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist>
<varlistentry>
<listitem>
<para>
Location of the OpenDJ authorization definitions. On Solaris 10 these
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
Location of the definition of the "OpenDJ Admin" profile description. On Solaris
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
Location of the OpenDJ execution profile. On Solaris 10 it is append to
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>See Also</title>
<para>
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
</para>
<para>
<!--
ls -1 man* | gsed -e 's,^man-,,' -e 's,.xml$,,' | \
egrep -v '(opendj|setup|upgrade|template)' | \
xargs -I {} printf '<citerefentry>
<refentrytitle>%s</refentrytitle><xi:include href="common.xml"
xpointer=%sxpointer(//manvolnum[@name="v1m"])%s/>
</citerefentry>, \n' {} "'" "'"
-->
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v1m"])'/>
</citerefentry>,
<citerefentry>
xpointer='xpointer(//manvolnum[@name="v5"])'/>
</citerefentry>
</para>
<para>
<citerefentry>
<refentrytitle>smf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rbac</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>1M</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>usermod</refentrytitle><manvolnum>1M</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pfexec</refentrytitle><manvolnum>1M</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>svcadm</refentrytitle><manvolnum>1M</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>svccfg</refentrytitle><manvolnum>1M</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>svcprop</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>.
</para>
<para>
</para>
</refsection>
</refentry>