Page 1 Schema Reference Netscape Directory Server Version 7.0 October 2004...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law.
Page 3: Table Of Contents
Contents About This Reference Guide ........... . . 11 Purpose of This Guide .
Page 4 country ................34 dcObject .
Page 5 audio ................. 85 authorCn .
Page 6 givenName ................103 homePhone .
Page 7 postOfficeBox ............... . 122 preferredDeliveryMethod .
Page 8 accountUnlockTime ..............142 aci .
Page 9 supportedControl ..............160 supportedExtension .
Page 10 Netscape Directory Server Schema Reference • October 2004...
Page 11: About This Reference Guide
About This Reference Guide Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 12: Contents Of This Guide
Contents of This Guide • Directory Server Console — An improved management console that dramatically reduces the effort of setting up and maintaining your directory service. The Directory Server Console is part of Netscape Console, the common management framework for Netscape servers. •...
Page 13: Conventions Used In This Book
Conventions Used in This Book When you are familiar with Directory Server schema concepts and have done some preliminary planning for your directory service, you can install the Directory Server. The instructions for installing the various Directory Server components are contained in the Netscape Directory Server Installation Guide.
Page 14 Related Information • Netscape Directory Server Deployment Guide. Provides an overview for planning your deployment of the Directory Server. Includes deployment examples. • Netscape Directory Server Installation Guide. Procedures for installing your Directory Server as well as procedures for migrating your Directory Server. •...
Page 15: Chapter 1 About Schema
Chapter 1 About Schema This chapter provides an overview of some of the basic concepts of the directory schema and lists the files in which the schema is described. It describes object classes, attributes, and object identifiers (OIDs) and briefly discusses extending server schema and schema checking.
Page 16: Object Classes
Schema Definition CAUTION Directory Server fails to start if schema definitions include too few or too many space characters. Use exactly one space in those places where the LDAP standards allow the use of zero or many spaces; for example, the place between the NAME keyword and the name of an attribute type.
Page 17: Object Class Inheritance
Schema Definition Object Class Inheritance An entry can have more than one object class. For example, the entry for a person is defined by the person object class but may also be defined by attributes in the , and object classes. inetOrgPerson groupOfNames organization...
Page 18 Schema Definition Table 1-1 lists the different syntax methods that can be applied to attributes and gives an OID and a definition for each syntax method. Attribute Syntax Table 1-1 Syntax Method Definition Binary 1.3.6.1.4.1.1466.115.121.1.5 Indicates that values for this attribute are binary. Boolean 1.3.6.1.4.1.1466.115.121.1.7 Indicates that this attribute has one of only two...
Page 19: Single-Valued And Multi-Valued Attributes
Schema Supported by Directory Server Table 1-1 Attribute Syntax (Continued) Syntax Method Definition Indicates that the values for this attribute are in the form of a URL, introduced by a string such as http://, https://, ftp://, ldap://, and ldaps://. The URI has the same behavior as IA5String.
Page 20 Schema Supported by Directory Server Table 1-2 Schema Files Used by Directory Server Schema Filename Purpose Recommended core schema from the X.500 and LDAP 00core.ldif standards (RFCs) and schema used by the Directory Server itself. Schema from RFC 2247 and related pilot schema 05rfc2247.ldif “Using Domains in LDAP/X.500 Distinguished Names.”...
Page 21: Object Identifiers (Oids)
Object Identifiers (OIDs) Table 1-3 Schema Files used by other Netscape Products (Continued) Schema Filenames Purpose Schema for Netscape Certificate Management System. 50ns-certificate.ldif Schema for the Netscape Compass Server. 50ns-compass.ldif Schema for Netscape Delegated Administrator 4.5. 50ns-delegated-admin.ldif Legacy Netscape Schema. 50ns-legacy.ldif Schema for Netscape Messaging Server.
Page 22: Extending Server Schema
Extending Server Schema 2.16.840.1.113730.3 All Netscape-defined attributes have the base OID of 2.16.840.1.113370.3.1 All Netscape-defined object classes have the base OID of 2.16.840.1.113730.3.2 For more information about OIDs or to request a prefix for your enterprise, please go to the Internet Assigned Number Authority (IANA) web site at http://www.iana.org/ Extending Server Schema The Directory Server schema includes hundreds of object classes and attributes...
Page 23 Schema Checking Schema checking also occurs when importing a database using LDIF. For more information, refer to the Netscape Directory Server Administrator’s Guide. Chapter 1 About Schema...
Page 24 Schema Checking Netscape Directory Server Schema Reference • October 2004...
Page 25: Chapter 2 Object Class Reference
Chapter 2 Object Class Reference This chapter contains an alphabetical list of the object classes accepted by the default schema. It gives a definition of each object class and lists its required and allowed attributes. The object classes listed in this chapter are available for you to use to support your own information in the Netscape Directory Server (Directory Server).
Page 26: Account
account Definition Used to define entries representing computer accounts. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.5 Required Attributes objectClass Defines the object classes for the entry. uid (userID)) Identifies the account’s user ID. Allowed Attributes description Text description of the entry.
Page 27: Alias
alias Definition Used to point to other entries in the directory tree. Note: Aliasing is not supported in Directory Server. This object class is defined in RFC 2256. Superior Class 2.5.6.1 Required Attributes objectClass Defines the object classes for the entry. aliasedObjectName Distinguished name of the entry for which this entry is an alias.
Page 28: Cosclassicdefinition
cosClassicDefinition Definition Identifies the template entry using both the template entry’s DN (as specified in the attribute) and the value of one of the target entry’s attributes (as cosTemplateDn specified in the attribute). cosSpecifier This object class is defined in Directory Server. Superior Class cosSuperDefinition 2.16.840.1.113730.3.2.100...
Page 29: Cosdefinition
cosDefinition Definition Defines the Class of Services you are using. This object class is supported in order to provide compatibility with the DS4.1 CoS Plug-in. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.84 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes Evaluates what rights are granted or denied when the Directory Server receives an LDAP request from a...
Page 30: Cosindirectdefinition
cosIndirectDefinition Definition Identifies the template entry using the value of one of the target entry’s attributes. The attribute of the target entry is specified in the cosIndirectSpecifier attribute. This object class is defined in Directory Server. Superior Class cosSuperDefinition 2.16.840.1.113730.3.2.102 Required Attributes objectClass Defines the object classes for the entry.
Page 31: Cospointerdefinition
cosPointerDefinition Definition Identifies the template entry associated with the CoS definition using the template entry’s DN value. The DN of the template entry is specified in the cosTemplateDn attribute. This object class is defined in Directory Server. Superior Class cosSuperDefinition 2.16.840.1.113730.3.2.101 Required Attributes objectClass...
Page 32: Cossuperdefinition
cosSuperDefinition Definition All CoS definition object classes inherit from the object cosSuperDefinition class. This object class is defined in Directory Server. Superior Class ldapSubEntry 2.16.840.1.113730.3.2.99 Required Attributes objectClass Defines the object classes for the entry. cosAttribute Provides the name of the attribute for which you want to generate a value.
Page 33: Costemplate
cosTemplate Definition Contains a list of the shared attribute values. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.128 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) Common name of the entry. cosPriority Specifies which template provides the attribute value when CoS templates compete to provide an...
Page 34: Country
country Definition Used to defines entries that represent countries. This object class is defined in RFC 2256. Superior Class 2.5.6.2 Required Attributes objectClass Defines the object classes for the entry. c (countryName) Contains the two-character code representing country names, as defined by ISO, in the directory. Allowed Attributes description Text description of the country.
Page 35: Dcobject
dcObject Definition Allows domain components to be defined for an entry. This object class is defined as auxiliary because it is commonly used in combination with another object class, such as (organizationalUnitName), or . For o (organizationName) l (localityName) example: dn: dc=example,dc=com objectClass: top objectClass: organization...
Page 36: Device
device Definition Used to store information about network devices, such as printers, in the directory. This object class is defined in RFC 2256. Superior Class 2.5.6.14 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) Common name of the device. Allowed Attributes description Text description of the device.
Page 37: Document
document Definition Used to define entries which represent documents in the directory. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.6 Required Attributes objectClass Defines the object classes for the entry. documentIdentifier Unique identifier for a document. Allowed Attributes abstract Abstract of the document.
Page 38 keyWords Keywords that describe the document. l (localityName) Place in which the document is located. lastModifiedBy Distinguished name of the last user to modify the document. lastModifiedTime Last time the document was modified. manager Distinguished name of the object’s manager. o (organizationName) Organization to which the document belongs.
Page 39: Documentseries
documentSeries Definition Used to define an entry that represents a series of documents. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.9 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The common name of the series. Allowed Attributes description Text description of the series.
Page 40: Domain
domain Definition Used to define entries that represent DNS domains in the directory. The attribute should be used for naming entries of this object class. domainComponent Used to represent Internet domain names (e.g., example.com object class can only be used with an entry that does not correspond to domain an organization, organizational unit or other type of object for which an object class has been defined.
Page 41 physicalDeliveryOfficeName Location where physical deliveries can be made. postOfficeBox Domain’s post office box. postalAddress Domain’s mailing address. postalCode The postal code for this address (such as a United States zip code). preferredDeliveryMethod Domain’s preferred method of contact or delivery. registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery.
Page 42: Domainrelatedobject
domainRelatedObject Definition Used to define entries which representDNS/NRS domains which are “equivalent” to an X.500 domain; for example, an organization or organizational unit. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.17 Required Attributes objectClass Defines the object classes for the entry. associatedDomain Specifies a DNS domain associated with an object in the directory tree.
Page 43: Dsa
Definition Used to define entries representing DSAs in the directory. This object class is defined in RFC 1274. Superior Class 2.5.6.13 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The common name of the series. presentationAddress Contains an OSI presentation address for the entry.
Page 44: Extensibleobject
extensibleObject Definition When present in an entry, permits the entry to hold optionally extensibleObject any attribute. The allowed attribute list of this class is implicitly the set of all attributes known to the server. This object class is defined in RFC 2252. Superior Class 1.3.6.1.4.1.1466.101.120.111 Required Attributes...
Page 45: Friendlycountry
friendlyCountry Definition Used to define country entries in the directory tree. This object class is used to allow more user-friendly country names than those allowed by the country object class. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.18 Required Attributes objectClass...
Page 46: Groupofcertificates
groupOfCertificates Definition Used to describe a set of X.509 certificates. Any certificate that matches one of the memberCertificateDescription values is considered a member of the group. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.31 Required Attributes objectClass Defines the object classes for the entry.
Page 47: Groupofnames
groupOfNames Definition Used to define entries for a group of names. Note: The definition in Directory Server differs from the standard definition. In the standard definition, is a required attribute. In Directory Server, member member an allowed attribute. Directory Server therefore allows a group to have no member. This object class is defined in RFC 2256.
Page 48: Groupofuniquenames
groupOfUniqueNames Definition Used to define entries for a group of unique names. Note: The definition in Directory Server differs from the standard definition. In the standard definition, is a required attribute. In Directory Server, uniquemember is an allowed attribute. Directory Server therefore allows a group to uniquemember have no member.
Page 49: Groupofurls
groupOfURLs Definition An auxiliary object class of . The group groupOfUniqueNames groupOfNames consists of a list of labeled URLs. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.33 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The group’s common name.
Page 50: Inetorgperson
inetOrgPerson Definition Used to define entries representing people in an organization’s enterprise network. Inherits from the object class. person This object class is defined in RFC 2798. Superior Class person 2.16.840.1.113730.3.2.2 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The person’s common name.
Page 51 homePhone The person’s home phone number. homePostalAddress The person’s home mailing adress. initials The person’s initials. internationalISDNNumber The person’s ISDN number. jpegPhoto Photo in JPEG format. l (localityName) Place in which the person is located. labeledURI Universal resource locator that is relevant to the person. mail The person’s email address.
Page 52 telexNumber The person’s telex number. title The person’s job title. uid (userID) Identifies the person’s user id (usually the logon ID). userCertificate Stores a user’s certificate in cleartext (not used). userPassword Password with which the entry can bind to the directory. userSMIMECertificate Stores a user’s certificate in binary form.
Page 53: Labeleduriobject
labeledURIObject Definition This object class can be added to existing directory objects to allow for inclusion of URI values. This approach does not preclude including the labeledURI attribute type directly in other object classes as appropriate. This object class is defined in RFC 2079. Superior Class 1.3.6.1.4.1.250.3.1 Required Attributes...
Page 54: Locality
locality Definition Used to define entries that represent localities or geographic areas. This object class is defined in RFC 2256. Superior Class 2.5.6.3 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes description Text description of the locality. l (localityName) Place in which the entry is located.
Page 55: Newpilotperson
newPilotPerson Definition Used as a subclass of to allow the use of a number of additional attributes person to be assigned to entries of the person object class. Inherits from the object class. person This object class is defined in Internet White Pages Pilot. Superior Class person 0.9.2342.19200300.100.4.4...
Page 56 otherMailbox Values for electronic mailbox types other than X.400 and rfc822. pager The person’s pager number. personalSignature The person’s signature file. personalTitle The person’s personal title. preferredDeliveryMethod The person’s preferred method of contact or delivery. roomNumber The person’s room number. secretary Distinguished name of the person’s secretary or administrative assistant.
Page 57: Nscomplexroledefinition
nsComplexRoleDefinition Definition Any role that is not a simple role is, by definition, a complex role. This object class is defined in Directory Server. Superior Class nsRoleDefinition 2.16.840.1.113730.3.2.95 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) The entry’s common name.
Page 58: Nsfilteredroledefinition
nsFilteredRoleDefinition Definition Specifies assignment of entries to the role, depending upon the attributes contained by each entry. This object class is defined in Directory Server. Superior Class nsComplexRoleDefinition 2.16.840.1.113730.3.2.97 Required Attributes objectClass Defines the object classes for the entry. nsRoleFilter Specifies the filter assigned to an entry.
Page 59: Nslicenseuser
nsLicenseUser Definition Used to track licenses for Netscape servers that are licensed on a per-client basis. is intended to be used with the object class. You nsLicenseUser inetOrgPerson can manage the contents of this object class through the Users and Groups area of the Netscape Administration Server.
Page 60: Nsmanagedroledefinition
nsManagedRoleDefinition Definition Specifies assignment of a role to an explicit, enumerated list of members. This object class is defined in Directory Server. Superior Class nsSimpleRoleDefinition 2.16.840.1.113730.3.2.96 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) The entry’s common name.
Page 61: Nsnestedroledefinition
nsNestedRoleDefinition Definition Specifies containment of one or more roles of any type within the role. This object class is defined in Directory Server. Superior Class nsComplexRoleDefinition 2.16.840.1.113730.3.2.98 Required Attributes objectClass Defines the object classes for the entry. nsRoleDn Specifies the roles assigned to an entry. Allowed Attributes cn (commonName) The entry’s common name.
Page 62: Nsroledefinition
nsRoleDefinition Definition All role definition object classes inherit from the object class. nsRoleDefinition This object class is defined in Directory Server. Superior Class ldapSubEntry 2.16.840.1.113730.3.2.93 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes cn (commonName) The entry’s common name. description Text description of the entry.
Page 63: Nssimpleroledefinition
nsSimpleRoleDefinition Definition Roles containing this object class are called simple roles because they have a deliberately limited flexibility, which makes it easy to: • Enumerate the members of a role. • Determine whether a given entry possesses a particular role. •...
Page 64: Organization
organization Definition Used to define entries that represent organizations. An organization is generally assumed to be a large, relatively static grouping within a larger corporation or enterprise. This object class is defined in RFC 2256. Superior Class 2.5.6.4 Required Attributes objectClass Defines the object classes for the entry.
Page 65 registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery. searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation. seeAlso URL to information relevant to the organization. st (stateOrProvinceName) State or province in which the organization is located.
Page 66: Organizationalperson
organizationalPerson Definition Used to define entries for people employed by or associated with an organization. are inherited from the object class. person This object class is defined in RFC 2256. Superior Class person 2.5.6.7 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The person’s common name.
Page 67 preferredDeliveryMethod The person’s preferred method of contact or delivery. registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery. seeAlso URL to information relevant to the person. st (stateOrProvinceName) State or province in which the person is located. street Street address at which the person is located.
Page 68: Organizationalrole
organizationalRole Definition Used to define entries that represent roles held by people within an organization. This object class is defined in RFC 2256. Superior Class 2.5.6.8 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The role’s common name. Allowed Attributes description Text description of the role.
Page 69 registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery. roleOccupant Distinguished name of the person in the role. seeAlso URL to information relevant to the person in the role. st (stateOrProvinceName) State or province in which the person in the role is located.
Page 70: Organizationalunit
organizationalUnit Definition Used to define entries that represent organizational units. An organizational unit is generally assumed to be a relatively static grouping within a larger organization. This object class is defined in RFC 2256. Superior Class 2.5.6.5 Required Attributes objectClass Defines the object classes for the entry.
Page 71 registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery. searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation. seeAlso URL to information relevant to the organizational unit. st (stateOrProvinceName) State or province in which the organizational unit is located...
Page 72: Person
person Definition Used to define entries that generically represent people. This object class is the base class for the object class. organizationalPerson This object class is defined in RFC 2256. Superior Class 2.5.6.6 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The person’s common name.
Page 73: Pilotobject
pilotObject Definition Used as a subclass to allow additional attributes to be assigned to entries of all other object classes. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.3 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes audio Stores a sound file in binary format.
Page 74: Pilotorganization
pilotOrganization Definition Used as a subclass to allow additional attributes to be assigned to organization object class entries. organizationalUnit This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.20 Required Attributes objectClass Defines the object classes for the entry. o (organizationName) Organization to which the entry belongs.
Page 75 preferredDeliveryMethod The pilot organization’s preferred method of contact or delivery registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery. searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation.
Page 76: Residentialperson
residentialPerson Definition Used by the Directory Server to contain a person’s residential information. This object class is defined in RFC 2256. Superior Class 2.5.6.10 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) The person’s common name. l (localityName) Place in which the person resides.
Page 77 registeredAddress Postal address suitable for reception of expedited documents, where the recipient must verify delivery. seeAlso URL to information relevant to the person. st (stateOrProvinceName) State or province in which the person resides. street Street address at which the person is located. telephoneNumber The person’s telephone number.
Page 78: Rfc822Localpart
RFC822LocalPart Definition Used to define entries that represent the local part of RFC822 mail addresses. The directory treats this part of an RFC822 address as a domain. This object class is defined in Internet directory pilot. Superior Class domain 0.9.2342.19200300.100.4.14 Required Attributes objectClass Defines the object classes for the entry.
Page 79 postalCode The postal code for this address (such as a United States zip code). preferredDeliveryMethod Local part’s preferred method of contact or delivery. registeredAddress Postal address suitable for reception of expediated documents, where the recipient must verify delivery. searchGuide Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation.
Page 80: Room
room Definition Used to store information in the directory about a room. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.7 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) Common name of the room. Allowed Attributes description Text description of the room.
Page 81: Strongauthenticationuser
strongAuthenticationUser Definition Used to store a user’s certificate entry in the directory. This object class is defined in RFC 2256. Superior Class 2.5.6.15 Required Attributes objectClass Defines the object classes for the entry. userCertificate Stores a user’s certificate, usually in binary form. Chapter 2 Object Class Reference...
Page 82: Simplesecurityobject
simpleSecurityObject Definition Used to allow an entry to contain the attribute when an entry's userPassword principal object classes do not allow as an attribute type. Reserved userPassword for future use. This object class is defined in RFC 1274. Superior Class 0.9.2342.19200300.100.4.19 Required Attributes objectClass...
Page 83: Chapter 3 Attribute Reference
Chapter 3 Attribute Reference This chapter contains reference information about Netscape Directory Server (Directory Server) attributes. The attributes are listed in alphabetical order with their definition, syntax, and OID. abstract Definition Provides an abstract of a document entry. This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued.
Page 84: Associateddomain
This attribute is defined in RFC 2256. Syntax DN, single-valued. 2.5.4.1 associatedDomain Definition Specifies a DNS domain associated with an object in the directory tree. For example, the entry in the directory tree with a distinguished name c=US, would have an associated domain of .
Page 85: Audio
0.9.2342.19200300.100.1.38 audio Definition Contains a sound file in binary format. The attribute uses a encoded sound u-law file. For example: audio:: AAAAAA== This attribute is defined in RFC 1274. Syntax Binary, multi-valued. 0.9.2342.19200300.100.1.55 authorCn Definition Contains the common name of the author of a document entry. For example: authorCn: Kacey This attribute is defined in Internet White Pages Pilot.
Page 86: Authorsn
authorSn Definition Contains the surname of the author of a document entry. For example: authorSn: Doe This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.102.1.12 authorityRevocationList Definition Contains a list of CA certificates that have been revoked. This attribute is to be stored and requested in the binary form, as ‘...
Page 87: Businesscategory
For example: buildingName: 14 This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.48 businessCategory Definition Identifies the type of business in which the entry is engaged. This should be a broad generalization, such as the corporate division level. For example: businessCategory: Engineering This attribute is defined in RFC 2256.
Page 88: Cacertificate
This attribute is defined in RFC 2256. Syntax DirectoryString, single-valued. 2.5.4.6 cACertificate Definition Contains the CA’s certificate. This attribute is to be stored and requested in the binary form, as ‘cACertificate;binary’. For example: cacertificate;binary:: AAAAAA== This attribute is defined in RFC 2256. Syntax Binary, multi-valued.
Page 89: Certificaterevocationlist
certificateRevocationList Definition Contains a list of revoked user certificates. This attribute is to be stored and requested in the binary form, as ‘ ’. certificateRevocationList;binary For example: certificateRevocationList;binary:: AAAAAA== This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.39 cn (commonName) Definition Identifies the name of an object in the directory.
Page 90: Co (Friendlycountryname)
2.5.4.3 co (friendlyCountryName) Definition Contains the name of a country. Often, the country attribute is used to describe a two-character code for a country, and the friendlyCountryName attribute is used to describe the actual country name. For example: friendlyCountryName: Ireland co: Ireland This attribute is defined in RFC 1274.
Page 91: Cosindirectspecifier
cosIndirectSpecifier Description Specifies the attribute values used by an indirect CoS to identify the template entry. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.577 cosPriority Definition Specifies which template provides the attribute value when CoS templates compete to provide an attribute value.
Page 92: Costargettree
2.16.840.1.113730.3.1.551 cosTargetTree Definition Determines the subtrees of the DIT to which the CoS schema applies. The values for this attribute for the schema and for multiple CoS schema may overlap their target trees in an arbitrary fashion. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued.
Page 93: Crosscertificatepair
crossCertificatePair Definition This attribute is to be stored and requested in the binary form, as ‘ ’. crossCertificatePair;binary For example: crosscertificatepair;binary:: AAAAAA== This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.40 dc (domainComponent) Definition Specifies one component of a domain name. For example: domainComponent: example dc: example...
Page 94: Deltarevocationlist
deltaRevocationList Definition This attribute is to be stored and requested in the binary form, as ‘ ’. deltaRevocationList;binary This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.53 departmentNumber Definition Identifies the entry’s department number. For example: departmentNumber: 2604 This attribute is defined in RFC 2798.
Page 95: Destinationindicator
Syntax DirectoryString, multi-valued. 2.5.4.13 destinationIndicator Definition The country and city associated with the entry needed to provide Public Telegram Service. Generally used in conjunction with registeredAddress For example: destinationIndicator: Stow, Ohio, USA This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 96: Ditredirect
2.16.840.1.113730.3.1.241 dITRedirect Definition Used to indicate that the object described by one entry now has a newer entry in the directory tree. This attribute may be used when an individual’s place of work changes, and the individual acquires a new organizational DN. For example: ditRedirect: cn=jdoe, o=example.com This attribute is defined in RFC 1274.
Page 97: Dn (Distinguishedname)
dn (distinguishedName) Definition Defines the distinguished name (DN) for the entry. For example: dn: cn=Jane Doe, ou=Quality Control, o=example.com This attribute is defined in RFC 2256. Syntax 2.5.4.49 dNSRecord Definition Specifies DNS resource records, including type A (Address), type MX (Mail Exchange), type NS (Name Server), and type SOA (Start of Authority) resource records.
Page 98: Documentidentifier
documentAuthor: cn=John Doe, o=example.com This attribute is defined in RFC 1274. Syntax DN, multi-valued. 0.9.2342.19200300.100.1.14 documentIdentifier Definition Specifies a unique identifier for a document. For example: documentIdentifier: L3204REV1 This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.11 documentLocation Definition Defines the location of the original copy of a document entry.
Page 99: Documentpublisher
documentPublisher Definition The person and/or organization that published a document. For example: documentPublisher: Southeastern Publishing This attribute is defined in RFC 1274. Syntax DirectoryString, single-valued. 0.9.2342.19200300.100.1.56 documentStore Definition Not defined here. This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued.
Page 100: Documentversion
Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.12 documentVersion Definition Defines the version of a document entry. For example: documentVersion: 1.1 This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.13 drink (favoriteDrink) Definition Describes the favorite drink of a person entry. For example: drink: soda favouriteDrink: soda This attribute is defined in RFC 1274.
Page 101: Dsaquality
dSAQuality Definition Specifies the purported quality of a DSA. This attribute allows a DSA manager to indicate the expected level of availability of the DSA. For example: dSAQuality: high This attribute is defined in RFC 1274. Syntax DirectoryString, single-valued. 0.9.2342.19200300.100.1.49 employeeNumber Definition Identifies the entry’s employee number.
Page 102: Enhancedsearchguide
employeeType: Full time This attribute is defined in RFC 2798. Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.4 enhancedSearchGuide Definition Used by X.500 clients when construcing search filters. For example: enhancedSearchGuide: (uid=mhughes) This attribute is defined in RFC 2798. Syntax DirectoryString, multi-valued. 2.5.4.47 fax (facsimileTelephoneNumber) Definition Identifies the fax number at which the entry can be reached.
Page 103: Generationqualifier
2.5.4.23 generationQualifier Definition Contains the generation Qualifier part of the name, typically appearing in the suffix. For example: generationqualifier:III This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.44 givenName Definition Identifies the entry’s given name, usually a person’s first name. For example: givenName: Hecuba This attribute is defined in RFC 2256.
Page 104: Homephone
homePhone Definition Identifies the entry’s home phone number. For example: homeTelephoneNumber: 415-555-1212 homePhone: 415-555-1234 This attribute is defined in RFC 1274. Syntax TelephoneNumber, multi-valued. 0.9.2342.19200300.100.1.20 homePostalAddress Definition Identifies the entry’s home mailing address. This field is intended to include multiple lines, but each line within the entry should be separated by a dollar sign ($).
Page 105: Host
0.9.2342.19200300.100.1.39 host Definition Defines the hostname of a computer. For example: host: mozilla This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.9 houseIdentifier Definition Identifes a building in a location. For example: houseIdentifier: B105 This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 106: Info
info Definition Specifies any general information pertinent to an object. It is recommended that specific usage of this attribute type is avoided and that specific requirements are met by other (possibly additional) attribute types. For example: info: not valid This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued.
Page 107: Janetmailbox
This attribute is defined in RFC 2256. Syntax IA5String, multi-valued. 2.5.4.25 janetMailbox Definition Specifies an email address. This attribute is intended for the convenience of U.K. users unfamiliar with rfc822 mail addresses. Entries using this attribute must also include an rfc822Mailbox attribute. This attribute is defined in RFC 1274.
Page 108: Keywords
keyWords Definition Contains keywords for the entry. For example: keyWords: directory LDAP X.500 This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.102.1.7 knowledgeInformation Definition This attribute is no longer used. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 109: Labeleduri
l: Santa Clara This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.7 labeledURI Definition Specifies a Uniform Resource Identifier (URI) that is relevant in some way to the entry. Values placed in the attribute should consist of a URI (currently only URLs are supported) optionally followed by one or more space characters and a label.
Page 110: Lastmodifiedtime
Syntax DN, multi-valued. 0.9.2342.19200300.100.1.24 lastModifiedTime Definition Defines the last time, in UTC format, that a change was made to the entry. For example: lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.23 mail Definition Identifies a user’s primary email address (the email address retrieved and displayed by “white-pages”...
Page 111: Mailpreferenceoption
mailPreferenceOption Definition Indicates a preference for inclusion of user names on mailing lists (electronic or physical). Accepted values include: • 0: user doesn’t want to be included in mailing lists. • 1: user consents to be added to any mailing list. •...
Page 112: Member
member Definition Identifies the distinguished names for each member of the group. For example: member: cn=John Doe, o=example.com This attribute is defined in RFC 2256. Syntax DN, multi-valued. 2.5.4.31 memberCertificateDescription Definition This attribute is a multivalued attribute where each value is a description, a pattern, or a filter matching the subject DN of a certificate (usually certificates used for SSL client authentication).
Page 113: Memberurl
memberCertificateDescription: {ou=x, ou=A, o=company, o=example} In order to match the group’s requirements, a certificate’s subject DNs must contain the same attribute types in the same order as defined in the attribute. memberCertificateDescription This attribute is defined in Directory Server. Syntax IA5String, multi-valued.
Page 114: Name
Syntax TelephoneNumber, multi-valued. 0.9.2342.19200300.100.1.41 name Definition Identifies the attribute supertype from which string attribute types used for naming may be formed. It is unlikely that values of this type will occur in an entry. LDAP server implementations that do not support attribute subtyping do not need to recognize this attribute in requests.
Page 115: Nslicenseendtime
Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.36 nsLicenseEndTime Definition Reserved for future use. This attribute is defined in Netscape Administration Services. Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.38 nsLicenseStartTime Definition Reserved for future use. This attribute is defined in Netscape Administration Services. Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.37 ntUserDomainId Definition Identifies the Windows security domain name and user name of the entry in the...
Page 116: O (Organizationname)
For example: ntUserDomainId: workgroup:jdoe Syntax cis (single) 2.16.840.1.113730.3.1.41 o (organizationName) Definition Identifies the name of the organization. For example: organizationName: Example Corporation, Inc. o: Example Corporation, Inc This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.10 objectClass Definition Specifies the object classes of the object.
Page 117: Obsoletedbydocument
2.5.4.0 obsoletedByDocument Definition Contains the distinguished name of a document that obsoletes the document entry. This attribute is defined in Internet White Pages Pilot. Syntax DN, multi-valued. 0.9.2342.19200300.102.1.4 obsoletesDocument Definition Contains the distinguished name of a document that is obsoleted by the document entry.
Page 118: Othermailbox
This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.45 otherMailbox Definition Specifies values for electronic mailbox types other than X.400 and rfc822. For example: otherMailbox: internet $ jdoe@example.com This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.22 ou (organizationUnitName) Definition...
Page 119: Owner
2.5.4.11 owner Definition Identifies the distinguished name of the person responsible for the entry. For example: owner: cn=John Smith, o=Example Corporation, c=US This attribute is defined in RFC 2256. Syntax DN, multi-valued. 2.5.4.32 pager Definition Identifies the entry’s pager phone number. Abbreviation: pager For example: pagerTelephoneNumber: 415-555-6789...
Page 120: Personalsignature
personalSignature Definition A signature file, in binary format, for the entry. For example: personalSignature:: AAAAAA== This attribute is defined in RFC 1274. Syntax Binary, multi-valued. 0.9.2342.19200300.100.1.53 personalTitle Definition Specifies a personal title for a person. Examples of personal titles are "Ms.," "Dr.," "Prof.,"...
Page 121: Physicaldeliveryofficename
photo:: AAAAAA== This attribute is defined in RFC 1274. Syntax Binary, multi-valued. 0.9.2342.19200300.100.1.7 physicalDeliveryOfficeName Definition Identifies the name of the city or village in which a physical delivery office is located. For example: physicalDeliveryOfficeName: Santa Clara This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 122: Postalcode
The dollar (\24) value can be found$in the c:\5ccost file. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.16 postalCode Definition Identifies the entry’s zip code in the United States. For example: postalCode: 44224 This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 123: Preferreddeliverymethod
preferredDeliveryMethod Definition Identifies the entry’s preferred contact or delivery method. For example: preferredDeliveryMethod: telephone This attribute is defined in RFC 2256. Syntax DirectoryString, single-valued. 2.5.4.28 preferredLanguage Definition Defines a person’s preferred written or spoken language. The value for this attribute should conform to the syntax for HTTP Accept-Language header values. This attribute is defined in RFC 2798.
Page 124: Protocolinformation
This attribute is defined in RFC 2256. Syntax IA5String, single-valued. 2.5.4.29 protocolInformation Definition Used in conjunction with the attribute to provide presentationAddress additional information to the OSO network service. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.48 Description Used in LDAPv3 to support smart referrals.
Page 125: Registeredaddress
2.16.840.1.113730.3.1.34 registeredAddress Definition This attribute contains a postal address for receiving telegrams or expedited documents. The recipient’s signature is usually required on delivery. This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.26 roleOccupant Definition Contains the distinguished name of the person acting in the role defined in the entry.
Page 126: Roomnumber
roomNumber Definition Specifies the room number of an object. The attribute should be used commonName for naming room objects. For example: roomNumber: 230 This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.6 searchGuide Definition Specifies information for a suggested search criteria when using the entry as the base object in the directory tree for a search operation.
Page 127: Seealso
This attribute is defined in RFC 1274. Syntax DN, multi-valued. 0.9.2342.19200300.100.1.21 seeAlso Definition Identifies another Directory Server entry that may contain information related to this entry. For example: seeAlso: cn=Quality Control Inspectors,ou=manufacturing,o=example.com This attribute is defined in RFC 2256. Syntax DN, multi-valued.
Page 128: Singlelevelquality
2.5.4.5 singleLevelQuality Definition Specifies the purported data quality at the level immediately below in the DIT. This attribute is defined in RFC 1274. Syntax DirectoryString, single-valued. 0.9.2342.19200300.100.1.50 sn (surname) Definition Identifies the entry’s surname, also referred to as last name or family name. For example: surname: Anderson sn: Anderson...
Page 129: St (Stateorprovincename)
st (stateOrProvinceName) Definition Identifies the state or province in which the entry resides. Abbreviation: For example: stateOrProvinceName: California st: California This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.8 street Definition Identifies the entry’s house number and street name. For example: streetAddress: 1234 Ridgeway Drive street: 1234 Ridgeway Drive...
Page 130: Subject
subject Definition Contains information about the subject matter of the document entry. For example: subject: employee option grants This attribute is defined in Internet White Pages Pilot. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.102.1.8 subtreeMaximumQuality Definition Specifies the purported maximum data quality for a DIT subtree. This attribute is defined in RFC 1274.
Page 131: Supportedalgorithms
0.9.2342.19200300.100.1.51 supportedAlgorithms Definition This attribute is to be stored and requested in the binary form, as ‘ ’. supportedAlgorithms;binary For example: supportedAlgorithms:: AAAAAA== This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.52 supportedApplicationContext Definition This attribute contains the identifiers of OSI application contexts. This attribute is defined in RFC 2256.
Page 132: Teletexterminalidentifier
For example: telephoneNumber: 415-555-2233 This attribute is defined in RFC 2256. Syntax TelephoneNumber, multi-valued. 2.5.4.20 teletexTerminalIdentifier Definition Identifies the entry’s teletex terminal identifier. The format of the attribute is as follows: teletex-id = ttx-term 0*("$" ttx-param) ttx-term = printablestring ttx-param = ttx-key ":"...
Page 133: Textencodedoraddress
actual-number "$" country "$" answerback where: • : the syntactic representation of the number portion of the telex actual-number number being encoded. • : the TELEX country code. country • : the answerback code of aTELEX terminal. answerback This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued.
Page 134: Ttl (Timetolive)
title: Senior QC Inspector This attribute is defined in RFC 2256. Syntax DirectoryString, multi-valued. 2.5.4.12 ttl (timeToLive) Definition Contains the time, in seconds, that cached information about an entry should be considered valid. Once the specified time has elapsed, the information is considered out of date.
Page 135: Uniqueidentifier
uid: banderson This attribute is defined in RFC 1274. Syntax DirectoryString, multi-valued. 0.9.2342.19200300.100.1.1 uniqueIdentifier Definition Identifies a specific item used to distinguish between two entries when a distinguished name has been reused. This attribute is intended to detect instance of a reference to a distinguished name that has been deleted.
Page 136: Updatedbydocument
2.5.4.50 updatedByDocument Definition Contains the distinguished name of a document that is an updated version of the document entry. This attribute is defined in Internet White Pages Pilot. Syntax DN, multi-valued. 0.9.2342.19200300.102.1.6 updatesDocument Definition Contains the distinguished name of a document for which this document is an updated version.
Page 137: Userclass
userCertificate;binary:: AAAAAA== This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.36 userClass Definition Specifies a category of computer user. The semantics of this attribute are arbitrary. attribute makes no distinction between computer organizationalStatus users and others users and may be more applicable. For example: userClass: intern This attribute is defined in RFC 1274.
Page 138: Userpkcs12
This attribute is defined in RFC 2256. Syntax Binary, multi-valued. 2.5.4.35 userPKCS12 Definition This attribute provides a format for the exchange of personal identity information. The attribute is to be stored and requested in binary form, as ‘ ’. The attribute values are PFX PDUs stored as binary data. userPKCS12;binary This attribute is defined in RFC 2798.
Page 139: X121Address
x121Address Definition Defines the X.121 address of a person. This attribute is defined in RFC 2256. Syntax IA5String, multi-valued. 2.5.4.24 x500UniqueIdentifier Definition Reserved for future use. A binary method of identification useful for differentiating objects when a distinguished name has been reused. For example: x500UniqueIdentifier:: AAAAAA== This attribute is defined in RFC 2256.
Page 140 Netscape Directory Server Schema Reference • October 2004...
Page 141: Chapter 4 Operational Attributes, Special Attributes, And Special Object Classes
Chapter 4 Operational Attributes, Special Attributes, and Special Object Classes This chapter provides definitions, syntax, and OIDs for operational attributes used by Netscape Directory Server (Directory Server). Operational attributes are available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry.
Page 142: Operational Attributes
Operational Attributes Operational Attributes accountUnlockTime Definition This refers to the amount of time that must pass after an account lockout before the user can bind to the directory again. This attribute is defined in Directory Server. Syntax DirectoryString, multi-valued 2.16.840.1.113730.3.1.95 Definition Used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.
Page 143: Attributetypes
Operational Attributes This attribute is defined in RFC 2252. Syntax IA5String, multi-valued. 1.3.6.1.4.1.1466.101.120.6 attributeTypes Definition Multi-valued attribute that specifies the attribute types used within a subschema. Each value describes a single attribute. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued.
Page 144: Copyingfrom
Operational Attributes copyingFrom Definition Used by read-only replica to recognize master data source while replication is in progess. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication.
Page 145: Ldapsyntaxes
Operational Attributes Syntax DirectoryString, multi-valued. 2.5.21.1 ldapSyntaxes Definition This attribute identifies the syntaxes implemented, with each value corresponding to one syntax. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued. 1.3.6.1.4.1.1466.101.120.16 matchingRules Definition Multi-valued attribute that defines the matching rules used within a subschema. Each value defines one matching rule.
Page 146: Matchingruleuse
Operational Attributes matchingRuleUse Definition Used to indicate the attribute types to which a matching rule applies in a subschema. This attribute is defined in RFC 2252. Syntax DirectoryString, multi-valued. 2.5.21.8 nameForms Definition Multi-valued attribute that defines the name forms used in a subschema. Each value defines one name form.
Page 147: Nsds5Replconflict
Operational Attributes Syntax DN, multi-valued. 1.3.6.1.4.1.1466.101.120.5 nsds5replconflict Definition This attribute is a conflict marker attribute. It is included on entries that have a change conflict that cannot be resolved automatically by the replication process. This attribute is defined in Directory Server. Syntax DirectoryString, multi-valued.
Page 148: Nsroledn
Operational Attributes nsRoleDn Definition This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is conferred upon an entry by adding the role’s DN to the entry’s nsRoleDN attribute. For example: dn: cn=staff,o=Netscape,o=example.com objectclass: LDAPsubentry objectclass: nsRoleDefinition...
Page 149: Numsubordinates
Operational Attributes numSubordinates Description Indicates now many immediate subordinates an entry has. For example, in a leaf entry. numSubordinates=0 This attribute is defined in numSubordinates Internet Draft. Syntax INTEGER, single-valued. 1.3.1.1.4.1.453.16.2.103 objectClasses Definition Multi-valued attribute that defines the object classes used in a subschema. Each value defines one object class.
Page 150: Passwordchange (Pwdallowuserchange)
Operational Attributes 2.16.840.1.113730.3.1.214 passwordChange (pwdAllowUserChange) Definition Specifies whether users may change their passwords. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.102 passwordCheckSyntax (pwdCheckSyntax) Definition Specifies whether the password syntax will be checked before the password is saved. (The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user’s name or ID or any attribute value stored in the...
Page 151: Passwordexp
Operational Attributes passwordExp Definition Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the attribute.
Page 152: Passwordgracelimit
Operational Attributes 2.16.840.1.113730.3.1.92 passwordGraceLimit Definition Used to specify the number of (grace) login attempts that are allowed to a user after the password has expired. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.999 passwordGraceUserTime Definition Used to count the number of attempts the user has made with the expired password.
Page 153: Passwordinhistory (Pwdinhistory)
Operational Attributes Syntax Binary, multi-valued. 2.16.840.1.113730.3.1.96 passwordInHistory (pwdInHistory) Definition Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the Directory Server does not store any old passwords, so users can reuse passwords.
Page 154: Passwordlockoutduration (Pwdlockoutduration)
Operational Attributes 2.16.840.1.113730.3.1.105 passwordLockoutDuration (pwdLockoutDuration) Definition Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password.
Page 155: Passwordmaxfailure (Pwdmaxfailure)
Operational Attributes passwordMaxFailure (pwdMaxFailure) Definition Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the attribute. passwordLockout (pwdLockOut) This attribute is defined in Directory Server.
Page 156: Passwordminlength (Pwdminlength)
Operational Attributes passwordMinLength (pwdMinLength) Definition Specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down.
Page 157: Passwordretrycount
Operational Attributes reaches the number of failures specified by the passwordMaxFailure attribute (within 600 seconds by default). After the amount of (pwdMaxFailure) time specified by the passwordLockoutDuration (pwdLockoutDuration) attribute, the failure counter is reset to zero (0). This attribute is defined in Directory Server. Syntax Integer, single-valued.
Page 158: Passwordunlock
Operational Attributes • CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.221 passwordUnlock Definition Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout.
Page 159: Pwdpolicysubentry
Operational Attributes Syntax Integer, single-valued. 2.16.840.1.113730.3.1.104 pwdpolicysubentry Definition Points to the entry DN of the new password policy. This attribute is defined in Directory Server. Syntax DirectoryString, single-valued. 2.16.840.1.113730.3.1.997 retryCountResetTime Definition Specifies the length of time that passes before the is reset.
Page 160: Supportedcontrol
Operational Attributes subschemaSubentry: cn=schema This attribute is defined in RFC 2252. Syntax DN, single-valued. 2.5.18.10 supportedControl Definition The values of this attribute are the object identifiers (OIDs) that identify the controls supported by the server. When the server does not support controls, this attribute is absent.
Page 161: Supportedldapversion
Special Attributes supportedLDAPVersion Definition Identifies the versions of the LDAP protocol implemented by the server. This attribute is defined in RFC 2252. Syntax INTEGER, multi-valued. 1.3.6.1.4.1.1466.101.120.15 supportedSASLMechanisms Definition Identifies the names of supported SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent. This attribute is defined in RFC 2252.
Page 162: Changelog
Special Attributes Syntax Binary, multi-valued. 2.16.840.1.113730.3.1.8 changeLog Description The distinguished name of the entry which contains the set of entries comprising the servers changelog. This attribute is defined in Changelog Internet Draft. Syntax DN, multi-valued. 2.16.840.1.113730.3.1.35 changeNumber Description This single-valued attribute is always present. It contains an integer which uniquely identifies each change made to a directory entry.
Page 163: Changetime
Special Attributes changeTime Description Defines a time, in a YYMMDDHHMMSS format, when the entry was added. This attribute is defined in Directory Server. Syntax DirectoryString, multi-valued. 2.16.840.1.113730.3.1.77 changeType Description Specifies the type of LDAP operation. This attribute can have one of the following values: , or delete...
Page 164: Newrdn
Special Attributes 2.16.840.1.113730.3.1.10 newRdn Description In the case of operations, specifies the new RDN of the entry. modrdn This attribute is defined in Changelog Internet Draft. Syntax DN, multi-valued. 2.16.840.1.113730.3.1.9 newSuperior Description In the case of operations, specifies the attribute of the entry. modrdn newSuperior This attribute is defined in Changelog Internet Draft.
Page 165: Nssaslmapregexstring
Special Attributes 2.16.840.1.113730.3.1.2063 nsSaslMapRegexString Description Conatins a regular expression used to map SASL identity strings. This attribute is defined in Directory Server. Syntax Case-Exact String, single-valued 2.16.840.1.113730.3.1.2064 nsSaslMapBaseDNTemplate Description Contains the search base DN template used in SASL identity mapping. This attribute is defined in Directory Server.
Page 166: Targetdn
Special Object Classes 2.16.840.1.113730.3.1.2066 targetDn Description Contains the DN of the entry that was affected by the LDAP operation. In the case of a operation, the attribute contains the DN of the entry before modrdn targetDn it was modified or moved. This attribute is defined in Changelog Internet Draft.
Page 167: Nsattributeencryption
Special Object Classes Required Attributes objectClass Defines the object classes for the entry. changeNumber Number assigned arbitrarily to the changelog. changeTime The time at which a change took place. changeType The type of change performed on an entry. targetDn The distinguished name of an entry added, modified or deleted on a supplier server.
Page 168: Nssaslmapping
Special Object Classes Required Attributes: The common name of the attribute being encrypted. cn=attributeName The encryption cipher used. nsEncryptionAlgorithm The name of the database where the attribute is stored. cn=databaseName nsSaslMapping Definition Identity mapping configuration for SASL. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.317 Required Attributes:...
Page 169: Subschema
Special Object Classes Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes accountUnlockTime Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again. passwordAllowChangeTime Used to specify the length of time that must pass before the user is allowed to change their password.
Page 170 Special Object Classes 2.5.20.1 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes attributeTypes Attribute types used within a subschema. dITContentRules Defines the DIT content rules which are in force within a subschema. dITStructureRules Defines the DIT structure rules which are in force within a subschema.
Page 171: Index
Index SYMBOLS 50ns-mlm.ldif 21 50ns-msg.ldif 21 ( 97 50ns-netshare.ldif 21 50ns-news.ldif 21 50ns-proxy.ldif 21 50ns-value.ldif 20 NUMERICS 50ns-wcal.ldif 21 50ns-web.ldif 21 00core.ldif 20 51ns-calendar.ldif 21 05rfc2247.ldif 20 99user.ldif 20 05rfc2927.ldif 20 10presence.ldif 20 10rfc2307.ldif 20 20subscriber.ldif 20 25java-object.ldif 20 28pilot.ldif 20 abstract attribute 83 30ns-common.ldif 20 account object class 26...
Page 172 attributeTypes operational attribute 143 cosTargetTree attribute 92 audio attribute 85 cosTemplate object class 33 authorCn attribute 85 country object class 34 authorityRevocationList attribute 86 countryName attribute, See c attribute authorSn attribute 86 crossCertificatePair attribute 93 buildingName attribute 86 dc attribute 93 businessCategory attribute 87 dcObject object class 35 default schema 19...
Page 173 employeeNumber attribute 101 inetOrgPerson object class 50 employeeType attribute 101 info attribute 106 enhancedSearchGuide attribute 102 initials attribute 106 extending schema 22 internationalISDNNumber attribute 106 facsimileTelephoneNumber attribute, See fax janetMailbox attribute 107 attribute jpegPhoto attribute 107 favouriteDrink attribute, See drink attribute fax attribute 102 friendlyCountry object class 45 friendlyCountryName attribute,See co attribute...
Page 174 memberCertificateDescription attribute 112 memberURL attribute 113 o attribute 116 mobile attribute 113 object class mobileTelephoneNumber attribute, See mobile allowed attributes 16 attribute defined 16 inheritance 17 required attributes 16 object identifiers (OIDs) 21 base OID for Directory Server 21 base OID for Netscape 21 name attribute 114 base OID for Netscape-defined attributes 22 nameForms operational attribute 146...
Page 175 passwordLockout 153 passwordGraceLimit operational attribute 152 passwordLockoutDuration 154 passwordGraceUserTime operational attribute 152 passwordMaxAge 154 passwordHistory operational attribute 152 passwordMaxFailure 155 passwordInHistory operational attribute 153 passwordMinAge 155 passwordLockout operational attribute 153 passwordMinLength 156 passwordLockoutDuration operational attribute 154 passwordMustChange 156 passwordMaxAge operational attribute 154 passwordResetFailureCount 156 passwordMaxFailure operational attribute 155 passwordRetryCount 157...
Page 176 roleOccupant attribute 125 streetAddress attribute, See street attribute room object class 80 strongAuthenticationUser object class 81 roomNumber attribute 126 subject attribute 130 subschema object class 169 subschemaSubentry operational attribute 159 subtreeMaximumQuality attribute 130 subtreeMinimumQuality attribute 130 supported schema 19 schema supportedAlgorithms attribute 131 checking 22 supportedApplicationContext attribute 131...
Page 177 userPKCS12 attribute 138 userSMIMECertificate attribute 138 x121Address attribute 139 x500UniqueIdentifier attribute 139 Index...
Page 178 Netscape Directory Server Schema Reference • October 2004...

Netscape DIRECTORY SERVER 7.0 - SCHEMA Reference

About this Reference Guide

Chapter 1 About Schema

Chapter 2 Object Class Reference

Chapter 3 Attribute Reference

Chapter 4 Operational Attributes, Special Attributes, and Special Object Classes

Index

Quick Links

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 7.0 - SCHEMA

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 7.0 - SCHEMA