Operational Attributes, Special Attributes, and Special Object Classes

Schema Reference
Red Hat Directory Server

Index

Chapter 4

Operational Attributes, Special Attributes, and Special Object Classes

This chapter provides definitions, syntax, and OIDs used by Red Hat Directory Server (Directory Server). Operational attributes are available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch operation if specifically requested. This chapter also provides definitions, syntax, and OIDs for some special attributes and object classes that are used by the server. The attributes are listed by section, then alphabetically.

Replication and synchronization object classes are in "Special Object Classes" on page 170; attributes for these object classes are listed in chapter 2, "Core Server Configuration Reference," in the Red Hat Directory Server Configuration, Command, and File Reference.

This chapter contains the following sections:

Operational Attributes (page 146)
Special Attributes (page 165)
Special Object Classes (page 170)

Operational Attributes

accountUnlockTime

Definition

This refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.

This attribute is defined in Directory Server.

Syntax

DirectoryString, multi-valued

OID

2.16.840.1.113730.3.1.95

aci

Definition

Used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.

This attribute is defined in Directory Server.

Syntax

IA5String, multi-valued

OID

2.16.840.1.113730.3.1.55

altServer

Definition

The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. You may cache this information in case your preferred LDAP server later becomes unavailable.

This attribute is defined in RFC 2252.

Syntax

IA5String, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.6

attributeTypes

Definition

Multi-valued attribute that specifies the attribute types used within a subschema. Each value describes a single attribute.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.5

copiedFrom

Definition

Used by a read-only replica to recognize a master data source. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.613

copyingFrom

Definition

Used by a read-only replica to recognize a master data source while replication is in progess. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.614

dITContentRules

Definition

Multi-valued attribute that defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.2

dITStructureRules

Definition

Multi-valued attribute that defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.1

ldapSyntaxes

Definition

This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.16

matchingRules

Definition

Multi-valued attribute that defines the matching rules used within a subschema. Each value defines one matching rule.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.4

matchingRuleUse

Definition

Used to indicate the attribute types to which a matching rule applies in a subschema.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.8

nameForms

Definition

Multi-valued attribute that defines the name forms used in a subschema. Each value defines one name form.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.7

namingContexts

Definition

Corresponds to a naming context the server is mastering or shadowing. When the Directory Server does not master any information (such as when it is an LDAP gateway to a public X.500 directory), this attribute is absent. When the Directory Server believes it contains the entire directory, the attribute has a single value, and that value is the empty string (indicating the null DN of the root).This attribute permits a client contacting a server to choose suitable base objects for searching.

This attribute is defined in RFC 2252.

Syntax

DN, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.5

nsRole

Definition

This attribute is a computed attribute that is not stored with the entry itself. It identifies to which roles an entry belongs.

This attribute is defined in Directory Server.

Syntax

DN, multi-valued.

OID

2.16.840.1.113730.3.1.574

nsRoleDn

Definition

This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is conferred upon an entry by adding the role's DN to the entry's nsRoleDN attribute.

For example:
dn: cn=staff,o=redhat,o=example.com

objectclass: LDAPsubentry

objectclass: nsRoleDefinition

objectclass: nsSimpleRoleDefinition

objectclass: nsManagedRoleDefinition
 
dn: cn=userA,ou=users,o=redhat,o=example.com

objectclass: top

objectclass: person

sn: uA

userpassword: secret

nsroledn: cn=staff,o=redhat,o=example.com
 
A nested role specifies containment of one or more roles of any type. In that case, nsRoleDN defines the DN of the contained roles.

For example:
dn: cn=everybody,o=redhat,o=example.com

objectclass: LDAPsubentry

objectclass: nsRoleDefinition

objectclass: nsComplexRoleDefinition

objectclass: nsNestedRoleDefinition

nsroledn: cn=manager,o=redhat,o=example.com

nsroledn: cn=staff,o=redhat,o=example.com
 
This attribute is defined in Directory Server.

Syntax

DN, multi-valued.

OID

2.16.840.1.113730.3.1.575

numSubordinates

Description

Indicates now many immediate subordinates an entry has.

For example, numSubordinates=0 in a leaf entry.

This attribute is defined in numSubordinates Internet Draft.

Syntax

INTEGER, single-valued.

OID

1.3.1.1.4.1.453.16.2.103

objectClasses

Definition

Multi-valued attribute that defines the object classes used in a subschema. Each value defines one object class.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

2.5.21.6

passwordAllowChangeTime

Definition

Used to specify the length of time that must pass before the user is allowed to change his password.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.214

passwordChange (pwdAllowUserChange)

Definition

Specifies whether users may change their passwords.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.102

passwordCheckSyntax (pwdCheckSyntax)

Definition

Specifies whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user's name or ID or any attribute value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user's directory entry.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.103

passwordExp

Definition

Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the passwordMaxAge (pwdMaxAge) attribute.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.98

passwordExpirationTime

Definition

Used to specify the length of time that passes before the user's password expires.

This attribute is defined in Directory Server.

Syntax

GeneralizedTime, single-valued.

OID

2.16.840.1.113730.3.1.91

passwordExpWarned

Definition

Used to indicate that a password expiration warning has been sent to the user.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.92

passwordGraceLimit

Definition

Used to specify the number of (grace) login attempts that are allowed to a user after the password has expired.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.999

passwordGraceUserTime

Definition

Used to count the number of attempts the user has made with the expired password.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.998

passwordHistory

Definition

Contains the history of the user's previous passwords.

This attribute is defined in Directory Server.

Syntax

Binary, multi-valued.

OID

2.16.840.1.113730.3.1.96

passwordInHistory (pwdInHistory)

Definition

Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the Directory Server does not store any old passwords, so users can reuse passwords. You can enable password history by using the passwordInHistory (pwdInHistory) attribute.

To prevent users from rapidly cycling through the number of passwords that you are tracking, use the passwordMinAge attribute.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.101

passwordLockout (pwdLockOut)

Definition

Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure (pwdMaxFailure) attribute.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.105

passwordLockoutDuration (pwdLockoutDuration)

Definition

Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the passwordLockout (pwdLockOut) attribute.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.109

passwordMaxAge (pwdMaxAge)

Definition

Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the passwordExp attribute.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.97

passwordMaxFailure (pwdMaxFailure)

Definition

Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the passwordLockout (pwdLockOut) attribute.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.106

passwordMinAge (pwdMinAge)

Definition

Indicates the number of seconds that must pass before a user can change his password. Use this attribute in conjunction with the passwordInHistory (pwdInHistory) attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.222

passwordMinLength (pwdMinLength)

Definition

Specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.99

passwordMustChange (pwdMustChange)

Definition

Indicates whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Manager DN.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.220

passwordResetFailureCount (pwdFailureCountInterval)

Definition

Indicates the amount of time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout (pwdLockOut) attribute is set to on, users will be locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure (pwdMaxFailure) attribute (within 600 seconds by default). After the amount of time specified by the passwordLockoutDuration (pwdLockoutDuration) attribute, the failure counter is reset to zero (0).

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.223

passwordRetryCount

Definition

Used to count the number of consecutive failed attempts at entering the correct password.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.93

passwordStorageScheme

Definition

Specifies the type of encryption used to store Directory Server passwords. Entering the password in CLEAR for this attribute indicates that the password will appear in plain text.

The following encryption types are supported by Directory Server:

SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure.
SHA (Secure Hash Algorithm) is supplied only for compatibility with 4.x legacy servers and should not be used otherwise.
CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.221

passwordUnlock

Definition

Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. If this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0, then the account will be locked indefinitely.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.108

passwordWarning (pwdExpireWarning)

Definition

Indicates lengh of time in seconds before a user's password expires that the user will receive a password expiration warning. The warning control will appear on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.

This attribute is defined in Directory Server.

Syntax

Integer, single-valued.

OID

2.16.840.1.113730.3.1.104

pwdpolicysubentry

Definition

Points to the entry DN of the new password policy.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.997

retryCountResetTime

Definition

Specifies the length of time that passes before the passwordRetryCount is reset.

This attribute is defined in Directory Server.

Syntax

DirectoryString, single-valued.

OID

2.16.840.1.113730.3.1.94

subschemaSubentry

Definition

DN of an entry that contains schema information.

For example:
subschemaSubentry: cn=schema 
 
This attribute is defined in RFC 2252.

Syntax

DN, single-valued.

OID

2.5.18.10

supportedControl

Definition

The values of this attribute are the object identifiers (OIDs) that identify the controls supported by the server. When the server does not support controls, this attribute is absent.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.13

supportedExtension

Definition

The values of this attribute are the object identifiers (OIDs) that identify the supported extended operations supported by the server. When the server does not support extensions, this attribute is absent.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.7

supportedLDAPVersion

Definition

Identifies the versions of the LDAP protocol implemented by the server.

This attribute is defined in RFC 2252.

Syntax

INTEGER, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.15

supportedSASLMechanisms

Definition

Identifies the names of supported SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent.

This attribute is defined in RFC 2252.

Syntax

DirectoryString, multi-valued.

OID

1.3.6.1.4.1.1466.101.120.14

Special Attributes

changes

Description

Contains the changes made to the entry for add and modify operations in LDIF format.

This attribute is defined in Changelog Internet Draft.

Syntax

Binary, multi-valued.

OID

2.16.840.1.113730.3.1.8

changeLog

Description

The distinguished name of the entry which contains the set of entries comprising the server's changelog.

This attribute is defined in Changelog Internet Draft.

Syntax

DN, multi-valued.

OID

2.16.840.1.113730.3.1.35

changeNumber

Description

This single-valued attribute is always present. It contains an integer which uniquely identifies each change made to a directory entry. This number is related to the order in which the change occurred. The higher the number, the later the change.

This attribute is defined in Changelog Internet Draft.

Syntax

Integer, multi-valued.

OID

2.16.840.1.113730.3.1.5

changeTime

Description

Defines a time, in a YYMMDDHHMMSS format, when the entry was added.

This attribute is defined in Directory Server.

Syntax

DirectoryString, multi-valued.

OID

2.16.840.1.113730.3.1.77

changeType

Description

Specifies the type of LDAP operation. This attribute can have one of the following values: add, delete, modify, or modrdn.

For example:
changeType: modify
 
This attribute is defined in Changelog Internet Draft.

Syntax

DirectoryString, multi-valued.

OID

2.16.840.1.113730.3.1.7

deleteOldRdn

Description

In the case of modrdn operations, specifies whether the old RDN was deleted.

This attribute is defined in Changelog Internet Draft.

Syntax

Boolean, multi-valued.

OID

2.16.840.1.113730.3.1.10

newRdn

Description

In the case of modrdn operations, specifies the new RDN of the entry.

This attribute is defined in Changelog Internet Draft.

Syntax

DN, multi-valued.

OID

2.16.840.1.113730.3.1.9

newSuperior

Description

In the case of modrdn operations, specifies the newSuperior attribute of the entry.

This attribute is defined in Changelog Internet Draft.

Syntax

DN, multi-valued.

OID

2.16.840.1.113730.3.1.11

nsEncryptionAlgorithm

Description

Specifies the encryption cipher for the encrypted attribute(s) in the nsAttributeEncryption object class.

This attribute is defined in Directory Server.

Syntax

ces, single-valued

OID

2.16.840.1.113730.3.1.2063

nsSaslMapBaseDNTemplate

Description

Contains the search base DN template used in SASL identity mapping.

This attribute is defined in Directory Server.

Syntax

ces, single-valued

OID

2.16.840.1.113730.3.1.2065

nsSaslMapFilterTemplate

Description

Contains the search filter template used in SASL identity mapping.

This attribute is defined in Directory Server.

Syntax

Case-Exact String, single-valued

OID

2.16.840.1.113730.3.1.2066

nsSaslMapRegexString

Description

Contains a regular expression used to map SASL identity strings.

This attribute is defined in Directory Server.

Syntax

ces, single-valued

OID

2.16.840.1.113730.3.1.2064

targetDn

Description

Contains the DN of the entry that was affected by the LDAP operation. In the case of a modrdn operation, the targetDn attribute contains the DN of the entry before it was modified or moved.

This attribute is defined in Changelog Internet Draft.

Syntax

DN, multi-valued.

OID

2.16.840.1.113730.3.1.6

Special Object Classes

changeLogEntry

Definition

Used to represent changes made to the Directory Server. You can configure Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4.1x by enabling the Retro Changelog Plug-in. Each entry in the changelog has the object class changeLogEntry.

This object class is defined in Changelog Internet Draft.

Superior Class

top

OID

2.16.840.1.113730.3.2.1

Required Attributes

objectClass

Defines the object classes for the entry.

changeNumber

Number assigned arbitrarily to the changelog.

changeTime

The time at which a change took place.

changeType

The type of change performed on an entry.

targetDn

The distinguished name of an entry added, modified or deleted on a supplier server.

Allowed Attributes

changes

Changes made to the Directory Server.

deleteOldRdn

A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry or should be deleted.

newRdn

New RDN of an entry that is the target of a modRDN or modDN operation.

newSuperior

Name of the entry that becomes the immediate superior of the existing entry when processing a modDN operation.

nsAttributeEncryption

Definition

Encrypts selected attributes within a Directory Server database.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.316

Required Attributes:

attributeName

The common name of the attribute being encrypted.

nsEncryptionAlgorithm

The encryption cipher used.

databaseName

The name of the database where the attribute is stored.

nsDS5Replica

Definition

Contains the attributes set for a replica in regular replication. Many of these attributes are set within the backend and cannot be modified.

Information on the attributes for this object class are in chapter 2 of the Red Hat Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.108

Required Attributes:

cn (commonName)

Used for naming the replica.

nsDS5ReplicaBindDN

Specifies the DN to use when a supplier server binds to a consumer.

nsDS5ReplicaId

Specifies the unique ID for suppliers in a replication environment.

nsDS5ReplicaType

Defines the type of replica, e.g. read-only consumer.

Allowed Attributes:

nsDS5Flags

Allows you to specify information that has been previously set in flags.

nsDS5ReplicaChangeCount

Gives the total number of entries in the changelog and whether they have been replicated.

nsDS5ReplicaLegacyConsumer

Specifies whether the replica is a legacy consumer.

nsDS5ReplicaName

Specifies the unique ID for the replica for internal operations.

nsDS5ReplicaPurgeDelay

Specifies the time in seconds before the changelog is purged.

nsDS5ReplicaReferral

Specifies the URLs for user-defined referrals.

nsDS5ReplicaRoot

Specifies the suffix DN at the root of a replicated area.

nsDS5ReplicaTombstonePurgeInterval

Specifies the time interval in seconds between purge operation cycles.

nsState

Stores information on the clock so that proper change sequence numbers are generated.

nsDS5ReplicationAgreement

Definition

Stores the information set in the replication agreement. Information on the attributes for this object class are in chapter 2 of the Red Hat Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.103

Required Attributes:

cn (commonName)

Used for naming the replication agreement.

nsDS5ReplicaBindDN

Specifies the DN to use when a supplier server binds to a consumer.

nsDS5ReplicaBindMethod

Specifies the method (SSL or simple authentication) to use for binding.

nsDS5ReplicaCredentials

Specifies the password for the bind DN.

nsDS5ReplicaHost

Specifies the hostname for the consumer replica.

nsDS5ReplicaPort

Specifies the port number for the remote replica.

nsDS5ReplicaUpdateSchedule

Specifies the replication schedule.

Allowed Attributes:

description

Free form text description of the replication agreement.

nsDS5ReplicaBusyWaitTime

Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

nsDS5ReplicaChangesSentSinceStartup

The number of changes sent to this replica since the server started.

nsDS5ReplicaLastInitEnd

States when the initialization of the consumer replica ended.

nsDS5ReplicaLastInitStart

States when the initialization of the consumer replica started.

nsDS5ReplicaLastInitStatus

The status for the initialization of the consumer.

nsDS5ReplicaLastUpdateEnd

States when the most recent replication schedule update ended.

nsDS5ReplicaLastUpdateStart

States when the most recent replication schedule update started.

nsDS5ReplicaLastUpdateStatus

Provides the status for the most recent replication schedule updates.

nsDS5ReplicaReapActive

Specifies whether the background task that removes old tombstones (deleted entries) from the database is active.

nsDS5ReplicaRefresh

Allows you to initialize your replica.

nsDS5ReplicaRoot

Specifies the suffix DN at the root of a replicated area.

nsDS5ReplicaSessionPauseTime

Specifies the amount of time in seconds a supplier should wait between update sessions.

nsDS5ReplicatedAttributeList

Specifies any attributes that will not be replicated to a consumer server.

nsDS5ReplicaTimeout

Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing.

nsDS5ReplicaTransportInfo

Specifies the type of transport used for transporting data to and from the replica.

nsDS5ReplicaUpdateInProgress

States whether a replication schedule update is in progress.

nsDS50ruv

Manages the internal state of the replica via the replication update vector.

nsDSWindowsReplicationAgreement

Definition

Stores the synchronization attributes that concern the synchronization agreement. Information on the attributes for this object class are in chapter 2 of the Red Hat Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.503

Required Attributes:

cn (commonName)

Names the synchronization agreement.

description

Text description of the synchronization agreement.

nsDS5ReplicaBindDN

Specifies the DN to use when the Directory Server binds to the Windows server.

nsDS5ReplicaBindMethod

Specifies the method (SSL or simple authentication) to use for binding.

nsDS5ReplicaCredentials

Specifies the credentials for the bind DN.

nsDS5ReplicaHost

Specifies the hostname for the Windows domain controller of the Windows server being synchronized.

nsDS5ReplicaPort

Specifies the port number for the Windows server.

nsDS7DirectoryReplicaSubtree

Specifies the Directory Server suffix (root or sub) that is synched.

nsDS7DirsyncCookie

A cookie set by the sync service that functions as an RUV.

nsDS7NewWinGroupSyncEnabled

Specifies whether new Windows group accounts are automatically created on the Directory Server.

nsDS7NewWinUserSyncEnabled

Specifies whether new Windows user accounts are automatically created on the Directory Server.

nsDS7WindowsDomain

The Windows domain being synchronized; analogous to nsDS5ReplicaHost in a replication agreement.

nsDS7WindowsReplicaSubtree

Specifies the Windows server suffix (root or sub) that is synched.

Allowed Attributes:

nsDS5ReplicaBusyWaitTime

Specifies the amount of time in seconds the Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access.

nsDS5ReplicaChangesSentSinceStartup

The number of changes sent since the Directory Server started.

nsDS5ReplicaLastInitEnd

States when the last total update (resynchronization) of the Windows server ended.

nsDS5ReplicaLastInitStart

States when the last total update (resynchronization) of the Windows server starteded.

nsDS5ReplicaLastInitStatus

The status for the total update (resynchronization) of the Windows server.

nsDS5ReplicaLastUpdateEnd

States when the most recent update ended.

nsDS5ReplicaLastUpdateStart

States when the most recent update started.

nsDS5ReplicaLastUpdateStatus

Provides the status for the most recent updates.

nsDS5ReplicaRoot

Specifies the root suffix DN of the Directory Server.

nsDS5ReplicaSessionPauseTime

Specifies the amount of time in seconds the Directory Server should wait between update sessions.

nsDS5ReplicaTimeout

Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing.

nsDS5ReplicaTransportInfo

Specifies the type of transport used for transporting data to and from the Windows server.

nsDS5ReplicaUpdateInProgress

States whether an update is in progress.

nsDS5ReplicaUpdateSchedule

Specifies the synchronization schedule (this is hard-coded at 5 minutes).

nsSaslMapping

Definition

Identity mapping configuration for SASL.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.317

Required Attributes:

nsSaslMapRegexString

Contains a regular expression used to match SASL identity strings.

nsSaslMapBaseDNTemplate

Contains the search base DN template.

nsSaslMapFilterTemplate

Contains the search filter template.

passwordObject

Definition

Stores password information for a user in the directory.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.12

Required Attributes

objectClass

Defines the object classes for the entry.

Allowed Attributes

accountUnlockTime

Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.

passwordAllowChangeTime

Used to specify the length of time that must pass before users are allowed to change their passwords.

passwordExpirationTime

Used to specify the length of time that passes before the user's password expires.

passwordExpWarned

Used to indicate that a password expiration warning has been sent to the user.

passwordGraceUserTime

Used to specify the number of login attempts that are allowed to a user after the password has expired.

passwordHistory

Contains the history of the user's previous passwords.

passwordRetryCount

Used to count the number of consecutive failed attempts at entering the correct password.

pwdpolicysubentry

Points to the entry DN of the new password policy.

retryCountResetTime

Specifies the length of time that passes before the passwordRetryCount attribute is reset.

subschema

Definition

An auxilary object class subentry used to administer the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters used to express the subschema.

This object class is defined in RFC 2252.

Superior Class

top

OID

2.5.20.1

Required Attributes

objectClass

Defines the object classes for the entry.

Allowed Attributes

attributeTypes

Attribute types used within a subschema.

dITContentRules

Defines the DIT content rules which are in force within a subschema.

dITStructureRules

Defines the DIT structure rules which are in force within a subschema.

matchingRuleUse

Indicates the attribute types to which a matching rule applies in a subschema.

matchingRules

Defines the matching rules used within a subschema.

nameForms

Defines the name forms used in a subschema.

objectClasses

Defines the object classes used in a subschema.

objectClass	Defines the object classes for the entry.
changeNumber	Number assigned arbitrarily to the changelog.
changeTime	The time at which a change took place.
changeType	The type of change performed on an entry.
targetDn	The distinguished name of an entry added, modified or deleted on a supplier server.

changes	Changes made to the Directory Server.
deleteOldRdn	A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry or should be deleted.
newRdn	New RDN of an entry that is the target of a modRDN or modDN operation.
newSuperior	Name of the entry that becomes the immediate superior of the existing entry when processing a modDN operation.

attributeName	The common name of the attribute being encrypted.
nsEncryptionAlgorithm	The encryption cipher used.
databaseName	The name of the database where the attribute is stored.

cn (commonName)	Used for naming the replica.
nsDS5ReplicaBindDN	Specifies the DN to use when a supplier server binds to a consumer.
nsDS5ReplicaId	Specifies the unique ID for suppliers in a replication environment.
nsDS5ReplicaType	Defines the type of replica, e.g. read-only consumer.

nsDS5Flags	Allows you to specify information that has been previously set in flags.
nsDS5ReplicaChangeCount	Gives the total number of entries in the changelog and whether they have been replicated.
nsDS5ReplicaLegacyConsumer	Specifies whether the replica is a legacy consumer.
nsDS5ReplicaName	Specifies the unique ID for the replica for internal operations.
nsDS5ReplicaPurgeDelay	Specifies the time in seconds before the changelog is purged.
nsDS5ReplicaReferral	Specifies the URLs for user-defined referrals.
nsDS5ReplicaRoot	Specifies the suffix DN at the root of a replicated area.
nsDS5ReplicaTombstonePurgeInterval	Specifies the time interval in seconds between purge operation cycles.
nsState	Stores information on the clock so that proper change sequence numbers are generated.

cn (commonName)	Used for naming the replication agreement.
nsDS5ReplicaBindDN	Specifies the DN to use when a supplier server binds to a consumer.
nsDS5ReplicaBindMethod	Specifies the method (SSL or simple authentication) to use for binding.
nsDS5ReplicaCredentials	Specifies the password for the bind DN.
nsDS5ReplicaHost	Specifies the hostname for the consumer replica.
nsDS5ReplicaPort	Specifies the port number for the remote replica.
nsDS5ReplicaUpdateSchedule	Specifies the replication schedule.

description	Free form text description of the replication agreement.
nsDS5ReplicaBusyWaitTime	Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.
nsDS5ReplicaChangesSentSinceStartup	The number of changes sent to this replica since the server started.
nsDS5ReplicaLastInitEnd	States when the initialization of the consumer replica ended.
nsDS5ReplicaLastInitStart	States when the initialization of the consumer replica started.
nsDS5ReplicaLastInitStatus	The status for the initialization of the consumer.
nsDS5ReplicaLastUpdateEnd	States when the most recent replication schedule update ended.
nsDS5ReplicaLastUpdateStart	States when the most recent replication schedule update started.
nsDS5ReplicaLastUpdateStatus	Provides the status for the most recent replication schedule updates.
nsDS5ReplicaReapActive	Specifies whether the background task that removes old tombstones (deleted entries) from the database is active.
nsDS5ReplicaRefresh	Allows you to initialize your replica.
nsDS5ReplicaRoot	Specifies the suffix DN at the root of a replicated area.
nsDS5ReplicaSessionPauseTime	Specifies the amount of time in seconds a supplier should wait between update sessions.
nsDS5ReplicatedAttributeList	Specifies any attributes that will not be replicated to a consumer server.
nsDS5ReplicaTimeout	Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing.
nsDS5ReplicaTransportInfo	Specifies the type of transport used for transporting data to and from the replica.
nsDS5ReplicaUpdateInProgress	States whether a replication schedule update is in progress.
nsDS50ruv	Manages the internal state of the replica via the replication update vector.

cn (commonName)	Names the synchronization agreement.
description	Text description of the synchronization agreement.
nsDS5ReplicaBindDN	Specifies the DN to use when the Directory Server binds to the Windows server.
nsDS5ReplicaBindMethod	Specifies the method (SSL or simple authentication) to use for binding.
nsDS5ReplicaCredentials	Specifies the credentials for the bind DN.
nsDS5ReplicaHost	Specifies the hostname for the Windows domain controller of the Windows server being synchronized.
nsDS5ReplicaPort	Specifies the port number for the Windows server.
nsDS7DirectoryReplicaSubtree	Specifies the Directory Server suffix (root or sub) that is synched.
nsDS7DirsyncCookie	A cookie set by the sync service that functions as an RUV.
nsDS7NewWinGroupSyncEnabled	Specifies whether new Windows group accounts are automatically created on the Directory Server.
nsDS7NewWinUserSyncEnabled	Specifies whether new Windows user accounts are automatically created on the Directory Server.
nsDS7WindowsDomain	The Windows domain being synchronized; analogous to nsDS5ReplicaHost in a replication agreement.
nsDS7WindowsReplicaSubtree	Specifies the Windows server suffix (root or sub) that is synched.

nsDS5ReplicaBusyWaitTime	Specifies the amount of time in seconds the Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access.
nsDS5ReplicaChangesSentSinceStartup	The number of changes sent since the Directory Server started.
nsDS5ReplicaLastInitEnd	States when the last total update (resynchronization) of the Windows server ended.
nsDS5ReplicaLastInitStart	States when the last total update (resynchronization) of the Windows server starteded.
nsDS5ReplicaLastInitStatus	The status for the total update (resynchronization) of the Windows server.
nsDS5ReplicaLastUpdateEnd	States when the most recent update ended.
nsDS5ReplicaLastUpdateStart	States when the most recent update started.
nsDS5ReplicaLastUpdateStatus	Provides the status for the most recent updates.
nsDS5ReplicaRoot	Specifies the root suffix DN of the Directory Server.
nsDS5ReplicaSessionPauseTime	Specifies the amount of time in seconds the Directory Server should wait between update sessions.
nsDS5ReplicaTimeout	Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing.
nsDS5ReplicaTransportInfo	Specifies the type of transport used for transporting data to and from the Windows server.
nsDS5ReplicaUpdateInProgress	States whether an update is in progress.
nsDS5ReplicaUpdateSchedule	Specifies the synchronization schedule (this is hard-coded at 5 minutes).

nsSaslMapRegexString	Contains a regular expression used to match SASL identity strings.
nsSaslMapBaseDNTemplate	Contains the search base DN template.
nsSaslMapFilterTemplate	Contains the search filter template.

objectClass	Defines the object classes for the entry.

accountUnlockTime	Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.
passwordAllowChangeTime	Used to specify the length of time that must pass before users are allowed to change their passwords.
passwordExpirationTime	Used to specify the length of time that passes before the user's password expires.
passwordExpWarned	Used to indicate that a password expiration warning has been sent to the user.
passwordGraceUserTime	Used to specify the number of login attempts that are allowed to a user after the password has expired.
passwordHistory	Contains the history of the user's previous passwords.
passwordRetryCount	Used to count the number of consecutive failed attempts at entering the correct password.
pwdpolicysubentry	Points to the entry DN of the new password policy.
retryCountResetTime	Specifies the length of time that passes before the passwordRetryCount attribute is reset.

objectClass	Defines the object classes for the entry.

attributeTypes	Attribute types used within a subschema.
dITContentRules	Defines the DIT content rules which are in force within a subschema.
dITStructureRules	Defines the DIT structure rules which are in force within a subschema.
matchingRuleUse	Indicates the attribute types to which a matching rule applies in a subschema.
matchingRules	Defines the matching rules used within a subschema.
nameForms	Defines the name forms used in a subschema.
objectClasses	Defines the object classes used in a subschema.

Contents

Index