diff --git a/modules/ROOT/pages/configuration/configuration-settings.adoc b/modules/ROOT/pages/configuration/configuration-settings.adoc index f16433a01..d020afb95 100644 --- a/modules/ROOT/pages/configuration/configuration-settings.adoc +++ b/modules/ROOT/pages/configuration/configuration-settings.adoc @@ -60,7 +60,7 @@ Where `` is the name of the routing policy, and `>. See also, <>. [[config_db.checkpoint]] @@ -86,13 +85,13 @@ See also, <>. a|Configures the general policy for when checkpoints should occur. Possible values are: -* `PERIODIC` (default)- it runs a checkpoint as per the interval specified by `<>` and `<>`. +* `PERIODIC` (default)- it runs a checkpoint as per the interval specified by <> and <>. -* `VOLUME` -- it runs a checkpoint when the size of the transaction logs reaches the value specified by the `<>` setting. By default, it is set to `250.00MiB`. +* `VOLUME` -- it runs a checkpoint when the size of the transaction logs reaches the value specified by the <> setting. By default, it is set to `250.00MiB`. -* `CONTINUOUS` (Enterprise Edition) -- it ignores `<>` and `<>` settings and runs the checkpoint process all the time. +* `CONTINUOUS` (Enterprise Edition) -- it ignores <> and <> settings and runs the checkpoint process all the time. -* `VOLUMETRIC` (Enterprise Edition) -- it makes the best effort to checkpoint often enough so that the database does not get too far behind on deleting old transaction logs as specified in the `<>` setting. +* `VOLUMETRIC` (Enterprise Edition) -- it makes the best effort to checkpoint often enough so that the database does not get too far behind on deleting old transaction logs as specified in the <> setting. |Valid values a|One of [PERIODIC, CONTINUOUS, VOLUME, VOLUMETRIC]. |Default value @@ -496,8 +495,8 @@ m|+++LIST+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Minimum number of machines initially required to form a clustered DBMS. The cluster is considered formed when at least this many members have discovered each other, bound together, and bootstrapped a highly available system database. As a result, at least this many of the cluster's initial machines must have `<>` set to `PRIMARY`. + -NOTE: If `<>` is set to `LIST` and `<>` is empty, then the user is assumed to be deploying a standalone DBMS, and the value of this setting is ignored. +a|Minimum number of machines initially required to form a clustered DBMS. The cluster is considered formed when at least this many members have discovered each other, bound together, and bootstrapped a highly available system database. As a result, at least this many of the cluster's initial machines must have <> set to `PRIMARY`. + +NOTE: If <> is set to `LIST` and <> is empty, then the user is assumed to be deploying a standalone DBMS, and the value of this setting is ignored. |Valid values a|An integer that is minimum `1`. |Default value @@ -595,7 +594,7 @@ m|+++true+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|The time allowed for a database on a Neo4j server to either join a cluster or form a new cluster with at least the quorum of the members available. The members are provided by `<>` for the system database and by the topology graph for standard databases. +a|The time allowed for a database on a Neo4j server to either join a cluster or form a new cluster with at least the quorum of the members available. The members are provided by <> for the system database and by the topology graph for standard databases. |Valid values a|A duration (Valid units are: `ns`, `μs`, `ms`, `s`, `m`, `h` and `d`; default unit is `s`). |Default value @@ -905,7 +904,7 @@ m|+++:6000+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Comma-separated list of tags to be used by the connect-randomly-to-server-with-tag selection strategy. The connect-randomly-to-server-with-tag strategy is used when the list of strategies (`<>`) includes the value `connect-randomly-to-server-with-tag`. +a|Comma-separated list of tags to be used by the connect-randomly-to-server-with-tag selection strategy. The connect-randomly-to-server-with-tag strategy is used when the list of strategies (<>) includes the value `connect-randomly-to-server-with-tag`. |Valid values a|A comma-separated list where each element is a string identifying a server tag. |Default value @@ -937,7 +936,7 @@ m|++++++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Configuration of a user-defined upstream selection strategy. The user-defined strategy is used when the list of strategies (`<>`) includes the value `user_defined`. +a|Configuration of a user-defined upstream selection strategy. The user-defined strategy is used when the list of strategies (<>) includes the value `user_defined`. |Valid values a|A string. |Default value @@ -969,7 +968,7 @@ m|+++:6000+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Use native transport if available. Epoll for Linux or Kqueue for MacOS/BSD. If this setting is set to false, or if native transport is not available, Nio transport will be used. +a|Use native transport if available. Epoll for Linux or Kqueue for MacOS/BSD. If this setting is set to `false`, or if native transport is not available, Nio transport will be used. |Valid values a|A boolean. |Default value @@ -1749,8 +1748,8 @@ m|++++++ |Description a|Routing strategy for `neo4j://` protocol connections. Default is `CLIENT`, using client-side routing, with server-side routing as a fallback (if enabled). -When set to `SERVER`, client-side routing is short-circuited, and requests rely on server-side routing (which must be enabled for proper operation, i.e. `<>=true`). -Can be overridden by `<>`. +When set to `SERVER`, client-side routing is short-circuited, and requests rely on server-side routing, which must be enabled for proper operation using <>=`true`. +Can be overridden by <>. |Valid values a|One of [SERVER, CLIENT]. |Default value @@ -2021,7 +2020,7 @@ m|+++true+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Set this to specify the behavior when Cypher planner or runtime hints cannot be fulfilled. If true, then non-conformance will result in an error, otherwise only a warning is generated. +a|Set this to specify the behavior when Cypher planner or runtime hints cannot be fulfilled. If `true`, then non-conformance will result in an error, otherwise only a warning is generated. |Valid values a|A boolean. |Default value @@ -2078,7 +2077,7 @@ m|+++false+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|The minimum time between possible Cypher query replanning events. After this time, the graph statistics will be evaluated, and if they have changed by more than the value set by <>, the query will be replanned. If the statistics have not changed sufficiently, the same interval will need to pass before the statistics will be evaluated again. Each time they are evaluated, the divergence threshold will be reduced slightly until it reaches 10% after 7h, so that even moderately changing databases will see query replanning after a sufficiently long time interval. +a|The minimum time between possible Cypher query replanning events. After this time, the graph statistics will be evaluated, and if they have changed by more than the value set by <>, the query will be replanned. If the statistics have not changed sufficiently, the same interval will need to pass before the statistics will be evaluated again. Each time they are evaluated, the divergence threshold will be reduced slightly until it reaches 10% after 7h, so that even moderately changing databases will see query replanning after a sufficiently long time interval. |Valid values a|A duration (Valid units are: `ns`, `μs`, `ms`, `s`, `m`, `h` and `d`; default unit is `s`). |Default value @@ -2130,7 +2129,7 @@ If any of the underlying statistics used to create the plan have changed more th This means that a value of `0.75` requires the database to quadruple in size before query replanning. A value of `0` means that the query will be replanned as soon as there is any change in statistics and the replan interval has elapsed. -This interval is defined by `<>` and defaults to 10s. After this interval, the divergence threshold will slowly start to decline, reaching 10% after about 7h. This will ensure that long running databases will still get query replanning on even modest changes, while not replanning frequently unless the changes are very large. +This interval is defined by <> and defaults to 10s. After this interval, the divergence threshold will slowly start to decline, reaching 10% after about 7h. This will ensure that long running databases will still get query replanning on even modest changes, while not replanning frequently unless the changes are very large. |Valid values a|A double that is in the range `0.0` to `1.0`. |Default value @@ -2618,8 +2617,8 @@ m|+++false+++ a|Log executed queries. Valid values are `OFF`, `INFO`, or `VERBOSE`. `OFF`:: no logging. -`INFO`:: log queries at the end of execution, that take longer than the configured threshold, `<>`. -`VERBOSE`:: log queries at the start and end of execution, regardless of `<>`. +`INFO`:: log queries at the end of execution, that take longer than the configured threshold, <>. +`VERBOSE`:: log queries at the start and end of execution, regardless of <>. Log entries are written to the query log. @@ -2639,7 +2638,7 @@ m|+++VERBOSE+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Sets a maximum character length use for each parameter in the log. This only takes effect if `<> = true`. +a|Sets a maximum character length use for each parameter in the log. This only takes effect if <> = `true`. |Valid values a|An integer. |Default value @@ -2695,7 +2694,7 @@ a|Log query plan description table, useful for debugging purposes. |Valid values a|A boolean. |Default value -m|false +m|+++false+++ |=== @@ -2725,7 +2724,7 @@ m|+++0s+++ |Description a|Log the start and end of a transaction. Valid values are 'OFF', 'INFO', or 'VERBOSE'. OFF: no logging. -INFO: log the start and end of transactions that take longer than the configured threshold, <>. +INFO: log the start and end of transactions that take longer than the configured threshold, <>. VERBOSE: log the start and end of all transactions. Log entries are written to the query log. |Valid values @@ -2743,7 +2742,7 @@ m|+++OFF+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (<>) is set to `INFO`. Defaults to 0 seconds (all transactions are logged). +a|If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (<>) is set to `INFO`. Defaults to 0 seconds (all transactions are logged). |Valid values a|A duration (Valid units are: `ns`, `μs`, `ms`, `s`, `m`, `h` and `d`; default unit is `s`). |Default value @@ -3723,7 +3722,7 @@ m|+++10m+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Enable time-based eviction of the authentication and authorization info cache for external auth providers (OIDC, LDAP or plugin). Disabling this setting will make the cache live forever and only be evicted when `<>` is exceeded. +a|Enable time-based eviction of the authentication and authorization info cache for external auth providers (OIDC, LDAP or plugin). Disabling this setting will make the cache live forever and only be evicted when <> is exceeded. |Valid values a|A boolean. |Default value @@ -3742,7 +3741,7 @@ a|Enable auth requirement to access Neo4j. |Valid values a|A boolean. |Default value -m|true +m|+++true+++ |=== @@ -3784,7 +3783,7 @@ m|+++5s+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by `<>`.The locked out user will not be able to log in until the lock period expires, even if correct credentials are provided. Setting this configuration option to values less than 3 is not recommended because it might make it easier for an attacker to brute force the password. +a|The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by <>.The locked out user will not be able to log in until the lock period expires, even if correct credentials are provided. Setting this configuration option to values less than 3 is not recommended because it might make it easier for an attacker to brute force the password. |Valid values a|An integer that is minimum `0`. |Default value @@ -3958,7 +3957,7 @@ m| |=== |Description a|The attribute to use when looking up users. -Using this setting requires `<>` to be true and thus `<>` and `<>` to be configured. +Using this setting requires <> to be `true` and thus <> and <> to be configured. |Valid values a|A string that matches the pattern `[A-Za-z0-9-]*` (has to be a valid LDAP attribute name, only containing letters [A-Za-z], digits [0-9] and hyphens [-].). |Default value @@ -3974,7 +3973,7 @@ m|+++samaccountname+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Determines if the result of authentication via the LDAP server should be cached or not. Caching is used to limit the number of LDAP requests that have to be made over the network for users that have already been authenticated successfully. A user can be authenticated against an existing cache entry (instead of via an LDAP server) as long as it is alive (see `<>`). +a|Determines if the result of authentication via the LDAP server should be cached or not. Caching is used to limit the number of LDAP requests that have to be made over the network for users that have already been authenticated successfully. A user can be authenticated against an existing cache entry (instead of via an LDAP server) as long as it is alive (see <>). An important consequence of setting this to `true` is that Neo4j then needs to cache a hashed version of the credentials in order to perform credentials matching. This hashing is done using a cryptographic hash function together with a random salt. Preferably a conscious decision should be made if this method is considered acceptable by the security standards of the organization in that this Neo4j instance is deployed. |Valid values a|A boolean. @@ -4008,7 +4007,7 @@ m|+++simple+++ |=== |Description a|Perform authentication by searching for an unique attribute of a user. -Using this setting requires `<>` and `<>` to be configured. +Using this setting requires <> and <> to be configured. |Valid values a|A boolean. |Default value @@ -4040,7 +4039,7 @@ m|+++uid={0},ou=users,dc=example,dc=com+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|The LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via <>. +a|The LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via <>. |Valid values a|A string. |Default value @@ -4096,7 +4095,7 @@ m|++++++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|This setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to `true` then instead of using attributes on the user object to determine group membership (as specified by `<>`), the `user` object will only be used to determine the user's Distinguished Name, which will subsequently be used with `<>` in order to perform a nested group search. The Distinguished Names of the resultant group search results will be used to determine roles. +a|This setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to `true` then instead of using attributes on the user object to determine group membership (as specified by <>), the `user` object will only be used to determine the user's Distinguished Name, which will subsequently be used with <> in order to perform a nested group search. The Distinguished Names of the resultant group search results will be used to determine roles. |Valid values a|A boolean. |Default value @@ -4112,7 +4111,7 @@ m|+++false+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|The search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token `{0}` which will be substituted with the user's Distinguished Name (which is found for the specified user principle using `<>`). The default value specifies Active Directory's LDAP_MATCHING_RULE_IN_CHAIN (aka 1.2.840.113556.1.4.1941) implementation which will walk the ancestry of group membership for the specified user. +a|The search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token `{0}` which will be substituted with the user's Distinguished Name (which is found for the specified user principle using <>). The default value specifies Active Directory's LDAP_MATCHING_RULE_IN_CHAIN (aka 1.2.840.113556.1.4.1941) implementation which will walk the ancestry of group membership for the specified user. |Valid values a|A string. |Default value @@ -4128,7 +4127,7 @@ m|+++(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|An LDAP system account password to use for authorization searches when `<>` is `true`. +a|An LDAP system account password to use for authorization searches when <> is `true`. |Valid values a|A secure string. |Default value @@ -4144,7 +4143,7 @@ m| [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|An LDAP system account username to use for authorization searches when `<>` is `true`. Note that the `<>` will not be applied to this username, so you may have to specify a full DN. +a|An LDAP system account username to use for authorization searches when <> is `true`. Note that the <> will not be applied to this username, so you may have to specify a full DN. |Valid values a|A string. |Default value @@ -4161,9 +4160,9 @@ m| |=== |Description a|Perform LDAP search for authorization info using a system account instead of the user's own account. -If this is set to `false` (default), the search for group membership will be performed directly after authentication using the LDAP context bound with the user's own account. The mapped roles will be cached for the duration of `<>`, and then expire, requiring re-authentication. To avoid frequently having to re-authenticate sessions you may want to set a relatively long auth cache expiration time together with this option. + +If this is set to `false` (default), the search for group membership will be performed directly after authentication using the LDAP context bound with the user's own account. The mapped roles will be cached for the duration of <>, and then expire, requiring re-authentication. To avoid frequently having to re-authenticate sessions you may want to set a relatively long auth cache expiration time together with this option. + NOTE: This option will only work if the users are permitted to search for their own group membership attributes in the directory. -If this is set to `true`, the search will be performed using a special system account user with read access to all the users in the directory. You need to specify the username and password using the settings `<>` and `<>` with this option. Note that this account only needs read access to the relevant parts of the LDAP directory and does not need to have access rights to Neo4j, or any other systems. +If this is set to `true`, the search will be performed using a special system account user with read access to all the users in the directory. You need to specify the username and password using the settings <> and <> with this option. Note that this account only needs read access to the relevant parts of the LDAP directory and does not need to have access rights to Neo4j, or any other systems. |Valid values a|A boolean. |Default value @@ -4179,7 +4178,7 @@ m|+++false+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|The name of the base object or named context to search for user objects when LDAP authorization is enabled. A common case is that this matches the last part of `<>`. +a|The name of the base object or named context to search for user objects when LDAP authorization is enabled. A common case is that this matches the last part of <>. |Valid values a|A string that cannot be empty. |Default value @@ -4228,7 +4227,7 @@ m|+++30s+++ |=== |Description a|URL of LDAP server to use for authentication and authorization. The format of the setting is `://:`, where hostname is the only required field. The supported values for protocol are `ldap` (default) and `ldaps`. The default port for `ldap` is 389 and for `ldaps` 636. For example: `ldaps://ldap.example.com:10389`. -You may want to consider using STARTTLS (`<>`) instead of LDAPS for secure connections, in which case the correct protocol is `ldap`. +You may want to consider using STARTTLS (<>) instead of LDAPS for secure connections, in which case the correct protocol is `ldap`. |Valid values a|A string. |Default value @@ -4461,7 +4460,7 @@ a|The accepted values (all optional) are: * `code_challenge_method`: default is `S256` and it's the only supported method at this moment. This setting applies only for pkce auth flow * `token_type_principal`: the options are almost always either `access_token`, which is the default, or `id_token`. * `token_type_authentication`: the options are almost always either `access_token`, which is the default, or `id_token`. -* `implicit_flow_requires_nonce`: true or false. Defaults to false. +* `implicit_flow_requires_nonce`: `true` or `false`. Defaults to `false`. |Valid values a|A simple key-value map pattern `k1=v1;k2=v2`. Valid key options are: `[implicit_flow_requires_nonce, token_type_authentication, token_type_principal, principal, code_challenge_method]`. @@ -5069,7 +5068,7 @@ m|+++true+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|Whether or not any database on this instance is read_only by default. If false, individual databases may be marked as read_only using server.database.read_only. If true, individual databases may be marked as writable using <>. +a|Whether or not any database on this instance is read_only by default. If `false`, individual databases may be marked as read_only using server.database.read_only. If `true`, individual databases may be marked as writable using <>. |Valid values a|A boolean. |Default value @@ -5085,7 +5084,7 @@ m|+++false+++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|List of databases for which to prevent write queries. Databases not included in this list maybe read_only anyway depending upon the value of <>. +a|List of databases for which to prevent write queries. Databases not included in this list maybe read_only anyway depending upon the value of <>. |Valid values a| A comma-separated set where each element is a valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character or number but not with the name system. |Default value @@ -5101,7 +5100,7 @@ m|++++++ [frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"] |=== |Description -a|List of databases for which to allow write queries. Databases not included in this list will allow write queries anyway, unless <> is set to true. +a|List of databases for which to allow write queries. Databases not included in this list will allow write queries anyway, unless <> is set to `true`. |Valid values a|A comma-separated set where each element is a valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character or number but not with the name system. |Default value @@ -5152,7 +5151,7 @@ a|Controls whether the Neo4j process will shut down, if there is a server panic |Valid values a|A boolean. |Default value -m|true label:changed[Changed in 2025.01] +m|+++true+++ label:changed[Changed in 2025.01] |=== diff --git a/modules/ROOT/pages/configuration/connectors.adoc b/modules/ROOT/pages/configuration/connectors.adoc index 0902ad409..174ff7585 100644 --- a/modules/ROOT/pages/configuration/connectors.adoc +++ b/modules/ROOT/pages/configuration/connectors.adoc @@ -25,7 +25,7 @@ When configuring the HTTPS or Bolt connectors, see also xref:security/ssl-framew [[connectors-configuration-options]] == Configuration options -The network connectors are configured by settings in the format `server..>`. +The network connectors are configured by settings in the format `server..`. .Configuration option suffixes for network connectors [options="header",cols="15,25,60,60"]