Page 1 Schema Reference Red Hat Directory Server Version 7.1 May 2005 Updated February 2009...
Page 2 All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...
Page 3: Table Of Contents
Contents About This Reference Guide ............. . 11 Purpose of This Guide .
Page 4 friendlyCountry ............... 38 groupOfCertificates .
Page 5 c (countryName) ............... 78 cACertificate .
Page 6 initials ................97 internationalISDNNumber .
Page 7 o (organizationName) ..............116 objectClass .
Page 8 uid (userID) ................135 uniqueIdentifier .
Page 9 passwordLockoutDuration (pwdLockoutDuration) ........154 passwordMaxAge (pwdMaxAge) .
Page 10 Red Hat Directory Server Schema Reference • May 2005...
Page 11: About This Reference Guide
About This Reference Guide Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 12: Contents Of This Guide
Contents of This Guide • Directory Server Console — An improved management console that dramatically reduces the effort of setting up and maintaining your directory service. The directory console is part of Red Hat Console, the common management framework for LDAP directory services. •...
Page 13: Conventions Used In This Book
For example, if you gave the server an identifier of , then the actual path would look like this: phonebook /opt/redhat-ds/servers/slapd-phonebook/. . . • In examples/sample code, paths assume that the Directory Server is installed in the default location .
Page 14 Directory Server. For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, check this site: http://www.redhat.com/docs/manuals/dir-server/ Red Hat Directory Server Schema Reference • May 2005...
Page 15: Chapter 1 About Schema
Chapter 1 About Schema This chapter provides an overview of some of the basic concepts of the directory schema and lists the files in which the schema is described. It describes object classes, attributes, and object identifiers (OIDs) and briefly discusses extending server schema and schema checking.
Page 16: Object Classes
Schema Definition CAUTION Directory Server fails to start if schema definitions include too few or too many space characters. Use exactly one space in those places where the LDAP standards allow the use of zero or many spaces; for example, the place between the NAME keyword and the name of an attribute type.
Page 17: Attributes
Schema Definition objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgperson In this structure, the inherits from the inetOrgperson organizationalPerson object classes. Therefore, when you assign the object class person inetOrgperson to an entry, it automatically inherits the required and allowed attributes from the superior object class.
Page 18 Schema Definition Attribute Syntax (Continued) Table 1-1 Syntax Method Definition Country String 1.3.6.1.4.1.1466.115.121.1.11 Indicates that values for this attribute are limited to exactly two printable string characters; for example, US. 1.3.6.1.4.1.1466.115.121.1.12 Indicates that values for this attribute are DNs. DirectoryString 1.3.6.1.4.1.1466.115.121.1.15 Indicates that values for this attribute are not case sensitive.
Page 19: Single-Valued And Multi-Valued Attributes
Schema Supported by Directory Server Single-Valued and Multi-Valued Attributes By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For example, , and objectclass are all attributes that can have more than one value. Attributes that are single-valued —...
Page 20 Schema Supported by Directory Server Schema Files Used by Directory Server (Continued) Table 1-2 Schema Filename Purpose Common schema elements for Red Hat-Nortel 20subscriber.ldif subscriber interoperability. Schema from RFC 2713, “Schema for Representing 25java-object.ldif Java(tm) Objects in an LDAP Directory.” Schema from the pilot RFCs, especially RFC 1274, that 28pilot.ldif are no longer recommended for use in new...
Page 21: Object Identifiers (Oids)
Object Identifiers (OIDs) Schema Files Used by Legacy Products (Continued) Table 1-4 Schema Filenames Purpose Schema for Netscape Mission Control Desktop - 50ns-mcd-config.ldif Configuration. Schema for Netscape Mission Control Desktop - Location 50ns-mcd-li.ldif Independence. Schema for Netscape Mission Control Desktop - Mail. 50ns-mcd-mail.ldif Schema for Netscape Media Server.
Page 22: Extending Server Schema
Extending Server Schema For more information about OIDs or to request a prefix for your enterprise, please go to the Internet Assigned Number Authority (IANA) web site at http://www.iana.org/ Extending Server Schema The Directory Server schema includes hundreds of object classes and attributes that can be used to meet most of your requirements.
Page 23: Chapter 2 Object Class Reference
Chapter 2 Object Class Reference This chapter contains an alphabetical list of the object classes accepted by the default schema. It gives a definition of each object class and lists its required and allowed attributes. The object classes listed in this chapter are available for you to use to support your own information in the Red Hat Directory Server (Directory Server).
Page 24: Alias
Superior Class 0.9.2342.19200300.100.4.5 Required Attributes objectClass Defines the object classes for the entry. uid (userID) Identifies the account’s user ID. Allowed Attributes description Text description of the entry. host Hostname of the computer on which the account resides. l (localityName) Place where the account is located.
Page 25: Cosclassicdefinition
Required Attributes objectClass Defines the object classes for the entry. Distinguished name of the entry for which this entry is aliasedObjectName an alias. cosClassicDefinition Definition Identifies the template entry using both the template entry’s DN (as specified in the attribute) and the value of one of the target entry’s attributes (as cosTemplateDn specified in the attribute).
Page 26: Cosdefinition
cosDefinition Definition Defines the Class of Services you are using. This object class is supported in order to provide compatibility with the DS4.1 CoS Plug-in. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.84 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes Evaluates what rights are granted or denied when the Directory Server receives an LDAP request from a...
Page 27: Cosindirectdefinition
cosIndirectDefinition Definition Identifies the template entry using the value of one of the target entry’s attributes. The attribute of the target entry is specified in the cosIndirectSpecifier attribute. This object class is defined in Directory Server. Superior Class cosSuperDefinition 2.16.840.1.113730.3.2.102 Required Attributes objectClass Defines the object classes for the entry.
Page 28: Cossuperdefinition
Superior Class cosSuperDefinition 2.16.840.1.113730.3.2.101 Required Attributes objectClass Defines the object classes for the entry. cosAttribute Provides the name of the attribute for which you want to generate a value. You can specify more than one cosAttribute value. Allowed Attributes cn (commonName) Common name of the entry.
Page 29: Costemplate
cosAttribute Provides the name of the attribute for which you want to generate a value. You can specify more than one cosAttribute value. Allowed Attributes cn (commonName) Common name of the entry. description Text description of the entry. cosTemplate Definition Contains a list of the shared attribute values.
Page 30: Country
country Definition Used to define entries that represent countries. This object class is defined in RFC 2256. Superior Class 2.5.6.2 Required Attributes objectClass Defines the object classes for the entry. c (countryName) Contains the two-character code representing country names, as defined by ISO, in the directory. Allowed Attributes Text description of the country.
Page 31: Device
dn: dc=example,dc=com objectClass: top objectClass: organization objectClass: dcObject dc: example o: Example Corporation This object class is defined in RFC 2247. Superior Class 1.3.6.1.4.1.1466.344 Required Attributes objectClass Defines the object classes for the entry. dc (domainComponent) One component of a domain name. device Definition Used to store information about network devices, such as printers, in the directory.
Page 32: Document
Allowed Attributes description Text description of the device. Place where the device is located. l (localityName) o (organizationName) Organization to which the device belongs. ou (organizationalUnitName) Organizational unit to which the device belongs. owner Distinguished name of the person responsible for the device.
Page 33 authorSn Author’s surname. cn (commonName) Common name of the document. description Text description of the document. dITRedirect Distinguished name to use as a redirect for the entry. documentAuthor Distinguished name of the document author. documentLocation Location of the original document. documentPublisher Person or organization that published the document.
Page 34: Documentseries
updatesDocument Distinguished name of a document for which this document is an updated version. documentSeries Definition Used to define an entry that represents a series of documents. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.9 Required Attributes objectClass Defines the object classes for the entry.
Page 35: Domain
domain Definition Used to define entries that represent DNS domains in the directory. The attribute should be used for naming entries of this object (domainComponent) class. Used to represent Internet domain names (e.g., example.com object class can only be used with an entry that does not correspond to domain an organization, organizational unit or other type of object for which an object class has been defined.
Page 36: Domainrelatedobject
o (organizationName) Organization to which the domain belongs. physicalDeliveryOfficeName Location where physical deliveries can be made. postOfficeBox Domain’s post office box. postalAddress Domain’s mailing address. postalCode The postal code for this address (such as a United States zip code). preferredDeliveryMethod Domain’s preferred method of contact or delivery.
Page 37: Dsa
Required Attributes objectClass Defines the object classes for the entry. Specifies a DNS domain associated with an object in the associatedDomain directory tree. Definition Used to define entries representing DSAs in the directory. This object class is defined in RFC 1274. Superior Class 2.5.6.13 Required Attributes...
Page 38: Extensibleobject
extensibleObject Definition When present in an entry, permits the entry to hold extensibleObject optionally any attribute. The allowed attribute list of this class is implicitly the set of all attributes known to the server. This object class is defined in RFC 2252. Superior Class 1.3.6.1.4.1.1466.101.120.111 Required Attributes...
Page 39: Groupofcertificates
Required Attributes objectClass Defines the object classes for the entry. Stores the name of a country. co (friendlyCountryName) c (countryName) Contains the two-character code representing country names, as defined by ISO, in the directory. Allowed Attributes description Text description of the country. searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for...
Page 40: Groupofnames
Allowed Attributes businessCategory Type of business in which the group is engaged. Text description of the group’s purpose. description memberCertificateDescription Values used to determine if a particular certificate is a member of this group. o (organizationName) Organization to which the group of certificates belongs. ou (organizationalUnitName) Organizational unit to which the group belongs.
Page 41: Groupofuniquenames
Allowed Attributes businessCategory Type of business in which the group is engaged. Text description of the group’s purpose. description member Distinguished name of a group member. o (organizationName) Organization to which the group belongs. ou (organizationalUnitName) Organizational unit to which the group belongs. Distinguished name of the person responsible for the owner group.
Page 42: Groupofurls
Allowed Attributes businessCategory Type of business in which the group is engaged. Text description of the group’s purpose. description o (organizationName) Organization to which the group belongs. ou (organizationalUnitName) Organizational unit to which the group belongs. owner Distinguished name of the person responsible for the group.
Page 43: Inetorgperson
o (organizationName) Organization to which the group belongs. ou (organizationalUnitName) Organizational unit to which the group belongs. owner Distinguished name of the person responsible for the group. seeAlso URL to information relevant to the group. inetOrgPerson Definition Used to define entries representing people in an organization’s enterprise network. Inherits from the object class.
Page 44 destinationIndicator Country and city associated with the entry; needed to provide Public Telegram Service. displayName Preferred name of a person to be used when displaying entries. employeeNumber The person’s employee number. employeeType The person’s type of employment (for example, full time).
Page 45: Labeleduriobject
preferredLanguage The person’s preferred written or spoken language. registeredAddress Postal address suitable for reception of expediated documents, where the recipient must verify delivery. roomNumber The room number where the person is located. secretary Distinguished name of the person’s secretary or administrative assistant.
Page 46: Locality
1.3.6.1.4.1.250.3.15 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes labeledURI Universal Resource Locator that is relevant to the entry. locality Definition Used to define entries that represent localities or geographic areas. This object class is defined in RFC 2256. Superior Class 2.5.6.3 Required Attributes...
Page 47: Mailgroup
seeAlso URL to information relevant to the locality. st (stateOrProvinceName) State or province to which the locality belongs. street Street address associated with the locality. mailGroup Definition Defines the mail attributes for a group. This object class is defined in Netscape Messaging Server. Superior Class 2.16.840.1.113730.3.2.4 Required Attributes...
Page 48: Newpilotperson
newPilotPerson Definition Used as a subclass of to allow the use of a number of additional attributes person to be assigned to entries of the object class. Inherits person cn (commonName) from the object class. sn (surname) person This object class is defined in Internet White Pages Pilot. Superior Class person 0.9.2342.19200300.100.4.4...
Page 49: Nscomplexroledefinition
pager The person’s pager number. personalSignature The person’s signature file. personalTitle The person’s honorific. preferredDeliveryMethod The person’s preferred method of contact or delivery. roomNumber The person’s room number. secretary Distinguished name of the person’s secretary or administrative assistant. seeAlso URL to information relevant to the person. telephoneNumber The person’s telephone number.
Page 50: Nsfilteredroledefinition
Allowed Attributes cn (commonName) The entry’s common name. Text description of the entry. description nsFilteredRoleDefinition Definition Specifies assignment of entries to the role, depending upon the attributes contained by each entry. This object class is defined in Directory Server. Superior Class nsComplexRoleDefinition 2.16.840.1.113730.3.2.97 Required Attributes...
Page 51: Nslicenseuser
nsLicenseUser Definition Used to track licenses for servers that are licensed on a per-client basis. is intended to be used with the object class. You nsLicenseUser inetOrgPerson can manage the contents of this object class through the Users and Groups area of the Red Hat Administration Server.
Page 52: Nsnestedroledefinition
2.16.840.1.113730.3.2.96 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) The entry’s common name. description Text description of the entry. nsNestedRoleDefinition Definition Specifies containment of one or more roles of any type within the role. This object class is defined in Directory Server.
Page 53: Nsroledefinition
nsRoleDefinition Definition All role definition object classes inherit from the object class. nsRoleDefinition This object class is defined in Directory Server. Superior Class ldapSubEntry 2.16.840.1.113730.3.2.93 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) The entry’s common name. description Text description of the entry.
Page 54: Ntgroup
Superior Class nsRoleDefinition 2.16.840.1.113730.3.2.94 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) The entry’s common name. description Text description of the entry. ntGroup Definition Holds data for a group entry stored in a Windows Active Directory or NT server. Several Directory Server attributes correspond directly to or are mapped to match Windows group attributes.
Page 55 Required Attributes cn (commonName) The entry’s common name; corresponds to the Windows name field. ntGroupType Specifies the type of group. objectClass Defines the object classes for the entry. Allowed Attributes description Text description of the group; corresponds to the Windows comment field. l (localityName) Place where the group is located.
Page 56: Ntuser
ntUser Definition Holds data for a user entry stored in a Windows Active Directory or NT server. Several Directory Server attributes correspond directly to or are mapped to match Windows user account fields. When you create a new person entry in the Directory Server that is to be synchronized with a Windows server, Directory Server attributes will be assigned to Windows user account fields as shown in the attribute table below.
Page 57 mail The person’s email address. manager The manager of the person. mobile The person’s mobile phone number. ntUserAcctExpires Identifies when the user s Windows account will expire. ntUserCodePage The user s code page. ntUserCreateNewAccount Specifies whether a Windows account should be created when this entry is created in the Directory Server.
Page 58: Organization
street Street address where the user is located. telephoneNumber Telephone number associated with the person. teletexTerminalIdentifier Identifier for a telex terminal associated with the user. telexNumber Telex number associated with the user. title The person’s job title. userCertificate Stores a user’s certificate in cleartext (not used). x121Address X.121 address associated with the entry.
Page 59: Organizationalperson
fax (facsimileTelephoneNumber) The organization’s fax number. internationalISDNNumber The organization’s ISDN number. l (localityName) Place where the organization is located. physicalDeliveryOfficeName Location where physical deliveries can be made to the organization. postalAddress The organization’s mailing address. postalCode The postal code for this address (such as a United States zip code).
Page 60 Superior Class person 2.5.6.7 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The person’s common name. sn (surname) The person’s surname or last name. Allowed Attributes description Text description of the person. destinationIndicator Country and city associated with the person; needed to provide Public Telegram Service.
Page 61: Organizationalrole
telephoneNumber The person’s telephone number. teletexTerminalIdentifier Identifier for the person’s teletex terminal. telexNumber The person’s telex number. title The person’s job title. userPassword Password with which the entry can bind to the directory. x121Address X.121 address of the person. organizationalRole Definition Used to define entries that represent roles held by people within an organization.
Page 62: Organizationalunit
ou (organizationalUnitName) Organizational unit to which the person in the role belongs. physicalDeliveryOfficeName Location where physical deliveries can be made to the person in the role. postalAddress The mailing address for the person in the role. postalCode The postal code for this address (such as a United States zip code).
Page 63 2.5.6.5 Required Attributes objectClass Defines the object classes for the entry. The name of the organizational unit. (organizationalUnitName) Allowed Attributes businessCategory Type of business in which the organizational unit is engaged. description Text description of the organizational unit. destinationIndicator Country and city associated with the organizational unit;...
Page 64: Person
street Street address where the organizational unit is located. telephoneNumber The organizational unit’s telephone number. teletexTerminalIdentifier Identifier for the organizational unit’s teletex terminal. telexNumber The organization’s telex number. userPassword Password with which the entry can bind to the directory. x121Address X.121 address of the organizational unit.
Page 65: Pilotobject
userPassword Password with which the entry can bind to the directory. pilotObject Definition Used as a subclass to allow additional attributes to be assigned to entries of all other object classes. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.3 Required Attributes objectClass...
Page 66: Pilotorganization
pilotOrganization Definition Used as a subclass to allow additional attributes to be assigned to organization object class entries. organizationalUnit This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.20 Required Attributes objectClass Defines the object classes for the entry. o (organizationName) Organization to which the entry belongs.
Page 67: Residentialperson
preferredDeliveryMethod The pilot organization’s preferred method of contact or delivery. registeredAddress Postal address suitable for reception of expedited documents when the recipient must verify delivery. searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation.
Page 68: Rfc822Localpart
Allowed Attributes businessCategory Type of business in which the person is engaged. Text description of the person. description destinationIndicator Country and city associated with the entry; needed to provide Public Telegram Service. The person’s fax number. (facsimileTelephoneNumber) internationalISDNNumber The person’s ISDN number. physicalDeliveryOfficeName Location where physical deliveries can be made to the person.
Page 69 Superior Class domain 0.9.2342.19200300.100.4.14 Required Attributes objectClass Defines the object classes for the entry. dc (domainComponent) Domain component of the entry. Allowed Attributes associatedName Entry in the organizational directory tree associated with a DNS domain. businessCategory Type of business in which this local part is engaged. cn (commonName) The local part’s common name.
Page 70: Room
searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation. seeAlso URL to information relevant to the local part. sn (surname) The entry’s surname or last name. st (stateOrProvinceName) State or province where the local part is located.
Page 71: Strongauthenticationuser
roomNumber The room’s number. seeAlso URL to information relevant to the room. telephoneNumber The room’s telephone number. strongAuthenticationUser Definition Used to store a user’s certificate entry in the directory. This object class is defined in RFC 2256. Superior Class 2.5.6.15 Required Attributes objectClass Defines the object classes for the entry.
Page 72 Required Attributes objectClass Defines the object classes for the entry. Password with which the entry can bind to the directory. userPassword Red Hat Directory Server Schema Reference • May 2005...
Page 73: Chapter 3 Attribute Reference
Chapter 3 Attribute Reference This chapter contains reference information about Red Hat Directory Server (Directory Server) attributes. The attributes are listed in alphabetical order with their definition, syntax, and OID. For information on replication and synchronization attributes, refer to the Red Hat Directory Server Configuration, Command, and File Reference.
Page 74: Aliasedobjectname
aliasedObjectName Definition Used by the Directory Server to identify alias entries in the directory. Contains the distinguished name of the entry for which it is an alias. For example: aliasedObjectName: uid=jdoe,ou=people,dc=example,dc=com This attribute is defined in RFC 2256. Syntax DN, single-valued. 2.5.4.1 associatedDomain Definition...
Page 75: Associatedname
associatedName Definition Specifies an entry in the organizational directory tree associated with a DNS domain. For example: associatedName: c=us This attribute is defined in RFC 1274. Syntax DN, multi-valued. 0.9.2342.19200300.100.1.38 audio Definition Contains a sound file in binary format. The attribute uses a encoded sound u-law file.
Page 76: Authorsn
For example: authorCn: Kacey This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.102.1.11 authorSn Definition Contains the surname of the author of a document entry. For example: authorSn: Doe This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued.
Page 77: Buildingname
Syntax Binary, multi-valued. 2.5.4.38 buildingName Definition Defines the building name associated with the entry. For example: buildingName: 14 This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.48 businessCategory Definition Identifies the type of business in which the entry is engaged. This should be a broad generalization, such as the corporate division level.
Page 78: C (Countryname)
c (countryName) Definition Contains the two-character code representing country names, as defined by ISO, in the directory. For example: countryName: IE c: IE This attribute is defined in RFC 2256. Syntax DirectoryString, single-valued. 2.5.4.6 cACertificate Definition Contains the CA’s certificate. This attribute is to be stored and requested in the binary form, as cACertificate;binary For example:...
Page 79: Carlicense
carLicense Definition Identifies the entry’s automobile license plate number. For example: carLicense: 6ABC246 This attribute is defined in RFC 2798. Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.1 certificateRevocationList Definition Contains a list of revoked user certificates. This attribute is to be stored and requested in the binary form, as certificateRevocationList;binary For example:...
Page 80: Co (Friendlycountryname)
When identifying the entry’s common name or full name: commonName: Bill Anderson cn: Bill Anderson When in reference to object classes: LDAPReplica LDAPServer commonName: replicater.example.com:17430/o%3Dexample%2Cc%3us cn: replicater.example.com:17430/o%3Dexample%2Cc%3us This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.3 co (friendlyCountryName) Definition Contains the name of a country.
Page 81: Cosattribute
cosAttribute Description Provides the name of the attribute for which you want to generate a value. You can specify more than one value. This attribute is used by all types of cosAttribute CoS definition entries. This attribute is defined in Directory Server. Syntax Directory String, multi-valued.
Page 82: Cosspecifier
Syntax INTEGER, single-valued. 2.16.840.1.113730.3.1.569 cosSpecifier Description Specifies the attribute value used by a classic CoS, which, along with the template entry’s DN, identifies the template entry. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.551 cosTargetTree Definition Determines the subtrees of the DIT to which the CoS schema applies. The values for this attribute for the schema and for multiple CoS schema may overlap their target trees in an arbitrary fashion.
Page 83: Costemplatedn
cosTemplateDn Definition The DN of the template entry which contains a list of the shared attribute values. Changes to the template entry attribute values are automatically applied to all the entries within the scope of the CoS. A single CoS might have more than one template entry associated with it.
Page 84: Deltarevocationlist
domainComponent: example dc: example This attribute is defined in RFC 2247. Syntax DirectoryString, single-valued. 0.9.2342.19200300.100.1.25 deltaRevocationList Definition This attribute is to be stored and requested in the binary form, as deltaRevocationList;binary This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.53 departmentNumber Definition...
Page 85: Description
2.16.840.1.113730.3.1.2 description Definition Provides a human-readable description of the object. For person , this often includes their role or work assignment. organization For example: description: Quality control inspector for the ME2873 product line. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 86: Displayname
displayName Definition Preferred name of a person to be used when displaying entries. Especially useful in displaying a preferred name for an entry within a one-line summary list. Since other attribute types, such as , are multivalued, they can not be used to display a preferred name.
Page 87: Dmdname
dmdName Definition The value of this attribute specifies a directory management domain (DMD), the administrative authority which operates the Directory Server. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.54 dn (distinguishedName) Definition Defines the distinguished name (DN) for the entry. For example: dn: uid=Jane Doe,ou=Quality Control,dc=example,dc=com This attribute is defined in RFC 2256.
Page 88: Documentauthor
dNSRecord: IN NS ns.uu.net This attribute is defined in Internet directory pilot. Syntax IA5String, multi-valued. 0.9.2342.19200300.100.1.26 documentAuthor Definition Contains the distinguished name of the author of a document entry. For example: documentAuthor: uid=John Doe,ou=People,dc=example,dc=com This attribute is defined in RFC 1274. Syntax DN, multi-valued.
Page 89: Documentlocation
0.9.2342.19200300.100.1.11 documentLocation Definition Defines the location of the original copy of a document entry. For example: documentLocation: Department Library This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.15 documentPublisher Definition The person and/or organization that published a document. For example: documentPublisher: Southeastern Publishing This attribute is defined in RFC 1274.
Page 90: Documentstore
documentStore Definition Contains information on where the document is stored. This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.102.1.10 documentTitle Definition Contains the title of a document entry. For example: documentTitle: Red Hat Directory Server Administrator’s Guide This attribute is defined in RFC 1274.
Page 91: Drink (Favoritedrink)
Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.13 drink (favoriteDrink) Definition Describes the favorite drink of a person entry. For example: drink: soda favoriteDrink: soda This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.5 dSAQuality Definition Specifies the purported quality of a DSA. This attribute allows a DSA manager to indicate the expected level of availability of the DSA.
Page 92: Employeenumber
0.9.2342.19200300.100.1.49 employeeNumber Definition Identifies the entry’s employee number. For example: employeeNumber: 3440 This attribute is defined in RFC 2798. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.3 employeeType Definition Identifies the entry’s type of employment. For example: employeeType: Full time This attribute is defined in RFC 2798. Syntax DirectoryString, multi-valued.
Page 93: Enhancedsearchguide
enhancedSearchGuide Definition Used by X.500 clients when construcing search filters. For example: enhancedSearchGuide: (uid=mhughes) This attribute is defined in RFC 2798. Syntax DirectoryString, multi-valued. 2.5.4.47 fax (facsimileTelephoneNumber) Definition Identifies the fax number at which the entry can be reached. Abbreviation: For example: facsimileTelephoneNumber: +1 415 555 1212 fax: +1 415 555 1212...
Page 94: Generationqualifier
generationQualifier Definition Contains the generation qualifier part of the name, typically appearing in the suffix. For example: generationQualifier:III This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.44 givenName Definition Identifies the entry’s given name, usually a person’s first name. For example: givenName: Hecuba This attribute is defined in RFC 2256.
Page 95: Homepostaladdress
homeTelephoneNumber: 415-555-1212 homePhone: 415-555-1234 This attribute is defined in RFC 1274. Syntax TelephoneNumber, multi-valued. 0.9.2342.19200300.100.1.20 homePostalAddress Definition Identifies the entry’s home mailing address. This field is intended to include multiple lines, but each line within the entry should be separated by a dollar sign ($).
Page 96: Host
host Definition Defines the hostname of a computer. For example: host: mozilla This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.9 houseIdentifier Definition Identifes a building in a location. For example: houseIdentifier: B105 This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 97: Initials
For example: info: not valid This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.4 initials Definition Identifies the entry’s initials. Does not identify the entry’s surname. For example: initials: BFA This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 98: Janetmailbox
2.5.4.25 janetMailbox Definition Specifies an email address. This attribute is intended for the convenience of U.K. users unfamiliar with RFC 822 mail addresses. Entries using this attribute must also include an attribute. rfc822Mailbox This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued.
Page 99: Keywords
keyWords Definition Contains keywords for the entry. For example: keyWords: directory LDAP X.500 This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.102.1.7 knowledgeInformation Definition This attribute is no longer used. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 100: Labeleduri
l: Santa Clara This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.7 labeledURI Definition Specifies a Uniform Resource Identifier (URI) that is relevant in some way to the entry. Values placed in the attribute should consist of a URI (currently only URLs are supported) optionally followed by one or more space characters and a label.
Page 101: Lastmodifiedtime
Syntax DN, multi-valued. 0.9.2342.19200300.100.1.24 lastModifiedTime Definition Defines the last time, in UTC format, that a change was made to the entry. For example: lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.23 mail Definition Identifies a user’s primary email address (the email address retrieved and displayed by “white-pages”...
Page 102: Mailalternateaddress
mailAlternateAddress Definition Identifies alternate email addresses used by a person. This attribute does not reflect the default or primary email address; that email address is set by the mail attribute. For example: mailAlternateAddress: bill_anderson@email.com mailAlternateAddress: bill51@server.com This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued.
Page 103: Mailpreferenceoption
mailPreferenceOption Definition Indicates a preference for inclusion of user names on mailing lists (electronic or physical). Accepted values include: • : user doesn’t want to be included in mailing lists. • : user consents to be added to any mailing list. •...
Page 104: Member
0.9.2342.19200300.100.1.10 member Definition Identifies the distinguished names for each member of the group. For example: member: cn=John Doe, o=example.com This attribute is defined in RFC 2256. Syntax DN, multi-valued. 2.5.4.31 memberCertificateDescription Definition This attribute is a multi-valued attribute where each value is a description, a pattern, or a filter matching the subject DN of a certificate (usually certificates used for SSL client authentication).
Page 105: Memberurl
AVAs are considered the same if they contain the same attribute description (case-insensitive comparison) and the same attribute value (case-insensitive comparison, leading and trailing whitespace ignored, and consecutive whitespace characters treated as a single SP). In order to be considered a member of a group with the following , a certificate would need to include memberCertificateDescription ou=x...
Page 106: Mobile
mobile Definition Identifies the entry’s mobile or cellular phone number. Abbreviation: mobile For example: mobileTelephoneNumber: 415-555-4321 This attribute is defined in RFC 1274. Syntax TelephoneNumber, multi-valued. 0.9.2342.19200300.100.1.41 name Definition Identifies the attribute supertype from which string attribute types used for naming may be formed.
Page 107: Nslicensedfor
nsLicensedFor Definition Identifies the server the user is licensed to use. The Red Hat Administration Server expects each entry to contain zero or more instances of this nsLicenseUser attribute. Valid keywords for this attribute are currently: • : the user is a licensed client of the Red Hat Directory Server. slapd •...
Page 108: Nslicensestarttime
nsLicenseStartTime Definition Reserved for future use. This attribute is defined in Red Hat Administration Services. Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.37 ntGroupAttributes Definition Pointer to a binary file containing information about the group. For example: ntGroupAttributes:: IyEvYmluL2tzaAoKIwojIGRlZmF1bHQgdmFsdWUKIwpIPSJgaG9zdG5hb Syntax binary (single) 2.16.840.1.113730.3.1.536 ntGroupCreateNewGroup Definition Used by Windows Sync;...
Page 109: Ntgroupdeletegroup
2.16.840.1.113730.3.1.45 ntGroupDeleteGroup Definition Used by Windows Sync; a attribute which states whether a true | false Directory Server entry will be automatically deleted when the group is deleted from the Windows sync peer server. means the account is deleted; true false ignores the deletion.
Page 110: Ntuniqueid
• global/security: -21483646 • domain local/security: -21483644 • global/distribution: • domain local/distribution: This is set automatically when Windows groups are synchronized. To determine the group type of a Directory Server group, this attribute must be set manually when the group is created. By default, Directory Server groups do do not have this attribute and are synchronized as global/security groups.
Page 111: Ntuseracctexpires
ntUserAcctExpires Definition This is only used with NT4 synchronization; this is not available for Active Directory synchronization. Indicates when the entry s Windows account will expire. This value is stored as a string in GMT format. For example: ntUserAcctExpires: 20081015203415 Syntax cis (single) 1.2.840.1.113730.3.1.528...
Page 112: Ntuserdeleteaccount
Syntax cis (single) 2.16.840.1.113730.3.1.42 ntUserDeleteAccount Definition Used by Windows Sync; a attribute which states whether a true | false Directory Server entry will be automatically deleted when the user is deleted from the Windows sync peer server. means the user entry is deleted; true false ignores the deletion.
Page 113: Ntuserhomedir
ntUserHomeDir Definition ASCII string that represents the path of the user s home directory. The string can be null. For example: ntUserHomeDir: c:\jsmith\ Syntax cis (single) 2.16.840.1.113730.3.1.521 ntUserLastLogoff Definition Identifies the time of the last logoff. This value is stored as a string in GMT format. If security logging is turned on, then this attribute is updated on synchronization only if some other aspect of the user s entry has changed.
Page 114: Ntuserlogonhours
For example: ntUserLastLogon: 20051015203415Z Syntax cis (single) 2.16.840.1.113730.3.1.526 ntUserLogonHours Definition This is only used with NT4 synchronization; this is not available for Active Directory synchronization. Identifies the times during which the user may log on. Time is represented by a one-to-one correspondence between the hour of the week and a bit within the string.
Page 115: Ntuserparms
Syntax bin (single) 2.16.840.1.113730.3.1.529 ntUserParms Definition Unicode string reserved for use by applications. Syntax cis (single) 2.16.840.1.113730.3.1.62 ntUserProfile Definition Identifies a path to the user s profile. For example: ntUserProfile: c:\jsmith\profile.txt Syntax cis (single) 2.16.840.1.113730.3.1.67 ntUserScriptPath Definition ASCII string that represents the path to the user s logon script. Chapter 3 Attribute Reference...
Page 116: Ntuserworkstations
For example: ntUserScriptPath: c:\jsmith\lscript.bat Syntax cis (single) 2.16.840.1.113730.3.1.524 ntUserWorkstations Definition ASCII string that represents the names of workstations from which the user may log on. Up to eight workstations may be specified by separating each with a comma. Use null to allow the user to log on from any workstation. For example: ntUserWorkstations: firefly Syntax...
Page 117: Objectclass
Syntax DirectoryString, multi-valued. 2.5.4.10 objectClass Definition Specifies the object classes of the object. Must include the object. For example: objectClass: person This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.0 obsoletedByDocument Definition Contains the distinguished name of a document that obsoletes the document entry. This attribute is defined in Internet White Pages Pilot.
Page 118: Obsoletesdocument
obsoletesDocument Definition Contains the distinguished name of a document that is obsoleted by the document entry. This attribute is defined in Internet White Pages Pilot. Syntax DN, multi-valued. 0.9.2342.19200300.102.1.3 organizationalStatus Definition Specifies a category by which a person is often referred in an organization. For example: organizationalStatus: researcher This attribute is defined in RFC 1274.
Page 119: Ou (Organizationalunitname)
Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.22 ou (organizationalUnitName) Definition Identifies the name of an organizational unit. For example: organizationalUnit: Marketing ou: Marketing This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.11 owner Definition Identifies the distinguished name of the person responsible for the entry. For example: owner: cn=John Smith, o=Example Corporation, c=US This attribute is defined in RFC 2256.
Page 120: Pager
2.5.4.32 pager Definition Identifies the entry’s pager phone number. Abbreviation: pager For example: pagerTelephoneNumber: 415-555-6789 pager: 415-555-6789 This attribute is defined in RFC 1274. Syntax TelephoneNumber, multi-valued. 0.9.2342.19200300.100.1.42 personalSignature Definition A signature file, in binary format, for the entry. For example: personalSignature:: AAAAAA== This attribute is defined in RFC 1274.
Page 121: Personaltitle
personalTitle Definition Specifies a personal title for a person. Examples of personal titles are "Ms.," "Dr.," "Prof.," and "Rev." For example: personalTitle: Mr This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.40 photo Definition Contains a photo, in binary form, of the entry. For example: photo:: AAAAAA== This attribute is defined in RFC 1274.
Page 122: Postaladdress
For example: physicalDeliveryOfficeName: Santa Clara This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.19 postalAddress Definition Identifies the entry’s mailing address. This field is intended to include multiple lines. When represented in LDIF format, each line should be separated by a dollar sign ($).
Page 123: Postofficebox
For example: postalCode: 44224 This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.17 postOfficeBox Definition Specifies a postal mailing address. For example: postOfficeBox: 1234 This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.18 preferredDeliveryMethod Definition Identifies the entry’s preferred contact or delivery method. For example: preferredDeliveryMethod: telephone This attribute is defined in RFC 2256.
Page 124: Preferredlanguage
2.5.4.28 preferredLanguage Definition Defines a person’s preferred written or spoken language. The value for this attribute should conform to the syntax for HTTP Accept-Language header values. This attribute is defined in RFC 2798. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.39 presentationAddress Definition Contains an OSI presentation address for the entry. The presentation address consists of an OSI Network Address and up to three selectors, one each for use by the transport, session, and presentation entities.
Page 125: Protocolinformation
protocolInformation Definition Used in conjunction with the attribute to provide presentationAddress additional information to the OSO network service. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.48 Description Used in LDAPv3 to support smart referrals. Contains an LDAP URL in the format: ldap://servername:portnumber/dn The portnumber is optional.
Page 126: Roleoccupant
This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.26 roleOccupant Definition Contains the distinguished name of the person acting in the role defined in the entry. organizationalRole For example: roleOccupant: cn=jdoe, o=example.com This attribute is defined in RFC 2256. Syntax DN, multi-valued.
Page 127: Searchguide
0.9.2342.19200300.100.1.6 searchGuide Definition Specifies information for a suggested search criteria when using the entry as the base object in the directory tree for a search operation. When constructing search filters, use instead. enhancedSearchGuide This attribute is defined in RFC 2256. Syntax IA5String, multi-valued.
Page 128: Seealso
seeAlso Definition Identifies another Directory Server entry that may contain information related to this entry. For example: seeAlso: cn=Quality Control Inspectors,ou=manufacturing,o=example.com This attribute is defined in RFC 2256. Syntax DN, multi-valued. 2.5.4.34 serialNumber Definition Specifies the serial number of a device. For example: serialNumber: 555-1234-AZ This attribute is defined in RFC 2256.
Page 129: Sn (Surname)
This attribute is defined in RFC 1274. Syntax DirectoryString, single-valued. 0.9.2342.19200300.100.1.50 sn (surname) Definition Identifies the entry’s surname, also referred to as last name or family name. For example: surname: Anderson sn: Anderson This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 130: Street
Syntax DirectoryString, multi-valued. 2.5.4.8 street Definition Identifies the entry’s house number and street name. For example: streetAddress: 1234 Ridgeway Drive street: 1234 Ridgeway Drive This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.9 subject Definition Contains information about the subject matter of the document entry. For example: subject: employee option grants This attribute is defined in Internet White Pages Pilot.
Page 131: Subtreemaximumquality
0.9.2342.19200300.102.1.8 subtreeMaximumQuality Definition Specifies the purported maximum data quality for a DIT subtree. This attribute is defined in RFC 1274. Syntax DirectoryString, single-valued. 0.9.2342.19200300.100.1.52 subtreeMinimumQuality Definition Specifies the purported minimum data quality for a DIT subtree. This attribute is defined in RFC 1274. Syntax DirectoryString, single-valued.
Page 132: Supportedapplicationcontext
This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.52 supportedApplicationContext Definition This attribute contains the identifiers of OSI application contexts. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.30 telephoneNumber Definition Identifies the entry’s phone number. For example: telephoneNumber: 415-555-2233 This attribute is defined in RFC 2256.
Page 133: Teletexterminalidentifier
teletexTerminalIdentifier Definition Identifies the entry’s teletex terminal identifier. The format of the attribute is as follows: teletex-id = ttx-term 0*("$" ttx-param) ttx-term = printablestring ttx-param = ttx-key ":" ttx-value ttx-key = "graphic" / "control" / "misc" / "page" / "private" ttx-value = octetstring In the above, the first printable string is the encoding of the first portion of the...
Page 134: Textencodedoraddress
2.5.4.21 textEncodedORAddress Definition Defines the text-encoded Originator/Recipient (X.400) address of the entry as defined in RFC987. For example: textEncodedORAddress: /S=doe/OU=eng/O=example/ADMD=telemail/C=us/ This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.2 title Definition Identifies the title of a person in the organization. For example: title: Senior QC Inspector This attribute is defined in RFC 2256.
Page 135: Ttl (Timetolive)
ttl (timeToLive) Definition Contains the time, in seconds, that cached information about an entry should be considered valid. Once the specified time has elapsed, the information is considered out of date. A value of zero (0) indicates that the entry should not be cached.
Page 136: Uniqueidentifier
uniqueIdentifier Definition Identifies a specific item used to distinguish between two entries when a distinguished name has been reused. This attribute is intended to detect any instance of a reference to a distinguished name that has been deleted. This attribute is assigned by the server. For example: uniqueIdentifier:: AAAAAA== This attribute is defined in RFC 1274.
Page 137: Updatedbydocument
updatedByDocument Definition Contains the distinguished name of a document that is an updated version of the document entry. This attribute is defined in Internet White Pages Pilot. Syntax DN, multi-valued. 0.9.2342.19200300.102.1.6 updatesDocument Definition Contains the distinguished name of a document for which this document is an updated version.
Page 138: Userclass
Syntax Binary, multi-valued. 2.5.4.36 userClass Definition Specifies a category of computer user. The semantics of this attribute are arbitrary. The attribute makes no distinction between organizationalStatus computer users and others users and may be more applicable. For example: userClass: intern This attribute is defined in RFC 1274.
Page 139: Userpkcs12
Syntax Binary, multi-valued. 2.5.4.35 userPKCS12 Definition This attribute provides a format for the exchange of personal identity information. The attribute is to be stored and requested in binary form, as userPKCS12;binary The attribute values are PFX PDUs stored as binary data. This attribute is defined in RFC 2798.
Page 140: X121Address
x121Address Definition Defines the X.121 address of a person. This attribute is defined in RFC 2256. Syntax IA5String, multi-valued. 2.5.4.24 x500UniqueIdentifier Definition Reserved for future use. A binary method of identification useful for differentiating objects when a distinguished name has been reused. For example: x500UniqueIdentifier:: AAAAAA== This attribute is defined in RFC 2256.
Page 141: Chapter 4 Operational Attributes, Special Attributes, And Special Object Classes
Chapter 4 Operational Attributes, Special Attributes, and Special Object Classes This chapter provides definitions, syntax, and OIDs used by Red Hat Directory Server (Directory Server). Operational attributes are available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry.
Page 142: Operational Attributes
Operational Attributes Operational Attributes accountUnlockTime Definition This refers to the amount of time that must pass after an account lockout before the user can bind to the directory again. This attribute is defined in Directory Server. Syntax DirectoryString, multi-valued 2.16.840.1.113730.3.1.95 Definition Used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.
Page 143: Altserver
Operational Attributes altServer Definition The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. You may cache this information in case your preferred LDAP server later becomes unavailable.
Page 144: Copyingfrom
Operational Attributes Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.613 copyingFrom Definition Used by a read-only replica to recognize a master data source while replication is in progess. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication.
Page 145: Ditstructurerules
Operational Attributes dITStructureRules Definition Multi-valued attribute that defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued. 2.5.21.1 ldapSyntaxes Definition This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.
Page 146: Matchingruleuse
Operational Attributes 2.5.21.4 matchingRuleUse Definition Used to indicate the attribute types to which a matching rule applies in a subschema. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued. 2.5.21.8 nameForms Definition Multi-valued attribute that defines the name forms used in a subschema. Each value defines one name form.
Page 147: Namingcontexts
Operational Attributes namingContexts Definition Corresponds to a naming context the server is mastering or shadowing. When the Directory Server does not master any information (such as when it is an LDAP gateway to a public X.500 directory), this attribute is absent. When the Directory Server believes it contains the entire directory, the attribute has a single value, and that value is the empty string (indicating the null DN of the root).This attribute permits a client contacting a server to choose suitable base objects for searching.
Page 148: Numsubordinates
Operational Attributes For example: dn: cn=staff,o=redhat,o=example.com objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsSimpleRoleDefinition objectclass: nsManagedRoleDefinition dn: cn=userA,ou=users,o=redhat,o=example.com objectclass: top objectclass: person sn: uA userpassword: secret nsroledn: cn=staff,o=redhat,o=example.com A nested role specifies containment of one or more roles of any type. In that case, defines the DN of the contained roles.
Page 149: Objectclasses
Operational Attributes Syntax INTEGER, single-valued. 1.3.1.1.4.1.453.16.2.103 objectClasses Definition Multi-valued attribute that defines the object classes used in a subschema. Each value defines one object class. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued. 2.5.21.6 passwordAllowChangeTime Definition Used to specify the length of time that must pass before the user is allowed to change his password.
Page 150: Passwordchange (Pwdallowuserchange)
Operational Attributes passwordChange (pwdAllowUserChange) Definition Specifies whether users may change their passwords. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.102 passwordCheckSyntax (pwdCheckSyntax) Definition Specifies whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user’s name or ID or any attribute value stored in the...
Page 151: Passwordexpirationtime
Operational Attributes This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.98 passwordExpirationTime Definition Used to specify the length of time that passes before the user’s password expires. This attribute is defined in Directory Server. Syntax GeneralizedTime, single-valued. 2.16.840.1.113730.3.1.91 passwordExpWarned Definition Used to indicate that a password expiration warning has been sent to the user.
Page 152: Passwordgracelimit
Operational Attributes passwordGraceLimit Definition Used to specify the number of (grace) login attempts that are allowed to a user after the password has expired. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.999 passwordGraceUserTime Definition Used to count the number of attempts the user has made with the expired password.
Page 153: Passwordinhistory (Pwdinhistory)
Operational Attributes 2.16.840.1.113730.3.1.96 passwordInHistory (pwdInHistory) Definition Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the Directory Server does not store any old passwords, so users can reuse passwords.
Page 154: Passwordlockoutduration (Pwdlockoutduration)
Operational Attributes passwordLockoutDuration (pwdLockoutDuration) Definition Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user s password.
Page 155: Passwordminage (Pwdminage)
Operational Attributes This attribute is defined in Directory Server. Syntax Integer, single-valued. 2.16.840.1.113730.3.1.106 passwordMinAge (pwdMinAge) Definition Indicates the number of seconds that must pass before a user can change his password. Use this attribute in conjunction with the passwordInHistory attribute to prevent users from quickly cycling through (pwdInHistory) passwords so that they can use their old password again.
Page 156: Passwordmustchange (Pwdmustchange)
Operational Attributes 2.16.840.1.113730.3.1.99 passwordMustChange (pwdMustChange) Definition Indicates whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Manager DN. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued.
Page 157: Passwordretrycount
Operational Attributes passwordRetryCount Definition Used to count the number of consecutive failed attempts at entering the correct password. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.93 passwordStorageScheme Definition Specifies the type of encryption used to store Directory Server passwords. Entering the password in CLEAR for this attribute indicates that the password will appear in plain text.
Page 158: Passwordunlock
Operational Attributes passwordUnlock Definition Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password.
Page 159: Retrycountresettime
Operational Attributes This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.997 retryCountResetTime Definition Specifies the length of time that passes before the is reset. passwordRetryCount This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.94 subschemaSubentry Definition DN of an entry that contains schema information.
Page 160: Supportedcontrol
Operational Attributes supportedControl Definition The values of this attribute are the object identifiers (OIDs) that identify the controls supported by the server. When the server does not support controls, this attribute is absent. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued.
Page 161: Supportedsaslmechanisms
Special Attributes Syntax INTEGER, multi-valued. 1.3.6.1.4.1.1466.101.120.15 supportedSASLMechanisms Definition Identifies the names of supported SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued. 1.3.6.1.4.1.1466.101.120.14 Special Attributes changes...
Page 162: Changelog
Special Attributes changeLog Description The distinguished name of the entry which contains the set of entries comprising the server’s changelog. This attribute is defined in Changelog Internet Draft. Syntax DN, multi-valued. 2.16.840.1.113730.3.1.35 changeNumber Description This single-valued attribute is always present. It contains an integer which uniquely identifies each change made to a directory entry.
Page 163: Changetype
Special Attributes Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.77 changeType Description Specifies the type of LDAP operation. This attribute can have one of the following values: , or delete modify modrdn For example: changeType: modify This attribute is defined in Changelog Internet Draft. Syntax DirectoryString, multi-valued.
Page 164: Newrdn
Special Attributes newRdn Description In the case of modrdn operations, specifies the new RDN of the entry. This attribute is defined in Changelog Internet Draft. Syntax DN, multi-valued. 2.16.840.1.113730.3.1.9 newSuperior Description In the case of modrdn operations, specifies the attribute of the newSuperior entry.
Page 165: Nssaslmapbasedntemplate
Special Attributes 2.16.840.1.113730.3.1.2063 nsSaslMapBaseDNTemplate Description Contains the search base DN template used in SASL identity mapping. This attribute is defined in Directory Server. Syntax ces, single-valued 2.16.840.1.113730.3.1.2065 nsSaslMapFilterTemplate Description Contains the search filter template used in SASL identity mapping. This attribute is defined in Directory Server. Syntax Case-Exact String, single-valued 2.16.840.1.113730.3.1.2066...
Page 166: Targetdn
Special Object Classes Syntax ces, single-valued 2.16.840.1.113730.3.1.2064 targetDn Description Contains the DN of the entry that was affected by the LDAP operation. In the case of a modrdn operation, the attribute contains the DN of the entry targetDn before it was modified or moved. This attribute is defined in Changelog Internet Draft.
Page 167: Nsattributeencryption
Special Object Classes 2.16.840.1.113730.3.2.1 Required Attributes objectClass Defines the object classes for the entry. changeNumber Number assigned arbitrarily to the changelog. changeTime The time at which a change took place. changeType The type of change performed on an entry. targetDn The distinguished name of an entry added, modified or deleted on a supplier server.
Page 168: Nsds5Replica
Special Object Classes 2.16.840.1.113730.3.2.316 Required Attributes: attributeName The common name of the attribute being encrypted. nsEncryptionAlgorithm The encryption cipher used. databaseName The name of the database where the attribute is stored. nsDS5Replica Definition Contains the attributes set for a replica in regular replication. Many of these attributes are set within the backend and cannot be modified.
Page 169: Nsds5Replicationagreement
Special Object Classes Allowed Attributes: nsDS5Flags Allows you to specify information that has been previously set in flags. nsDS5ReplicaChangeCount Gives the total number of entries in the changelog and whether they have been replicated. nsDS5ReplicaLegacyConsumer Specifies whether the replica is a legacy consumer. nsDS5ReplicaName Specifies the unique ID for the replica for internal operations.
Page 170 Special Object Classes nsDS5ReplicaBindDN Specifies the DN to use when a supplier server binds to a consumer. nsDS5ReplicaBindMethod Specifies the method (SSL or simple authentication) to use for binding. nsDS5ReplicaCredentials Specifies the password for the bind DN. nsDS5ReplicaHost Specifies the hostname for the consumer replica. nsDS5ReplicaPort Specifies the port number for the remote replica.
Page 171: Nsdswindowsreplicationagreement
Special Object Classes nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds a supplier should wait between update sessions. nsDS5ReplicatedAttributeList Specifies any attributes that will not be replicated to a consumer server. nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing.
Page 172 Special Object Classes nsDS5ReplicaCredentials Specifies the credentials for the bind DN. nsDS5ReplicaHost Specifies the hostname for the Windows domain controller of the Windows server being synchronized. nsDS5ReplicaPort Specifies the port number for the Windows server. nsDS7DirectoryReplicaSubtree Specifies the Directory Server suffix (root or sub) that is synched.
Page 173: Nssaslmapping
Special Object Classes nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds the Directory Server should wait between update sessions. nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing. nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the Windows server.
Page 174 Special Object Classes This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.12 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes accountUnlockTime Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.
Page 175: Subschema
Special Object Classes subschema Definition An auxilary object class subentry used to administer the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters used to express the subschema. This object class is defined in RFC 2252. Superior Class 2.5.20.1 Required Attributes...
Page 176 Special Object Classes Red Hat Directory Server Schema Reference • May 2005...
Page 177: Index
Index 50ns-wcal.ldif 21 50ns-web.ldif 21 51ns-calendar.ldif 21 60pam-plugin.ldif 20 99user.ldif 20 abstract attribute 73 SYMBOLS account object class 23 accountUnlockTime operational attribute 142 ( 87 aci operational attribute 142 alias object class 24 aliasedObjectName attribute 74 altServer operational attribute 143 NUMERICS associatedDomain attribute 74 associatedName attribute 75...
Page 178 certificateRevocationList attribute 79 displayName attribute 86 changeLog attribute 162 distinguishedName attribute,See dn attribute changeLogEntry object class 166 dITContentRules operational attribute 144 changeNumber attribute 162 dITRedirect attribute 86 changes attribute 161 dITStructureRules operational attribute 145 changeTime attribute 162 dmdname attribute 87 changeType attribute 163 dn attribute 87 checking schema 22...
Page 179 generationQualifier attribute 94 l attribute 99 givenName attribute 94 labeledURI attribute 100 groupOfCertificates object class 39 labeledURIObject object class 45 groupOfNames object class 40 lastModifiedBy attribute 100 groupOfUniqueNames object class 41 lastModifiedTime attribute 101 groupOfURLs object class 42 ldapSyntaxes operational attribute 145 locality object class 46 localityName attribute, See l attribute homeDirectory attribute 94...
Page 180 nsDSWindowsReplicationAgreement 171 nsEncryptionAlgorithm attribute 164 o attribute 116 nsFilteredRoleDefinition object class 50 object class nsLicensedFor attribute 107 allowed attributes 16 nsLicenseEndTime attribute 107 defined 16 nsLicenseStartTime attribute 108 inheritance 16 nsLicenseUser object class 51 required attributes 16 nsManagedRoleDefinition object class 51 object identifiers (OIDs) 21 base OID for Directory Server 21 nsNestedRoleDefinition object class 52...
Page 181 passwordLockoutDuration 154 passwordGraceUserTime operational attribute 152 passwordMaxAge 154 passwordHistory operational attribute 152 passwordMaxFailure 154 passwordInHistory operational attribute 153 passwordMinAge 155 passwordLockout operational attribute 153 passwordMinLength 155 passwordLockoutDuration operational attribute 154 passwordMustChange 156 passwordMaxAge operational attribute 154 passwordResetFailureCount 156 passwordMaxFailure operational attribute 154 passwordRetryCount 157 passwordMinAge operational attribute 155 passwordStorageScheme 157...
Page 182 residentialPerson object class 67 nsSaslMapping 173 passwordObject 173 retryCountResetTime operational attribute 159 subschema 175 RFC822LocalPart object class 68 st attribute 129 roleOccupant attribute 126 stateOrProvinceName attribute, See st attribute room object class 70 street attribute 130 roomNumber attribute 126 streetAddress attribute, See street attribute strongAuthenticationUser object class 71 subject attribute 130 subschema object class 175...
Page 183 uid attribute 135 uniqueIdentifier attribute 136 uniqueMember attribute 136 updatedByDocument attribute 137 updatesDocument attribute 137 userCertificate attribute 137 userClass attribute 138 userId attribute, See uid attribute userPassword attribute 138 userPKCS12 attribute 139 userSMIMECertificate attribute 139 x121Address attribute 140 x500UniqueIdentifier attribute 140 Index...
Page 184 Red Hat Directory Server Schema Reference • May 2005...

Red Hat DIRECTORY SERVER 7.1 - SCHEMA Reference

Chapter 1 About Schema

Chapter 2 Object Class Reference

Chapter 3 Attribute Reference

Chapter 4 Operational Attributes, Special Attributes, and Special Object Classes

Quick Links

Need help?

Questions and answers

Related Manuals for Red Hat DIRECTORY SERVER 7.1 - SCHEMA

Summary of Contents for Red Hat DIRECTORY SERVER 7.1 - SCHEMA