5.2. Assigning Class of Service

A Class of Service definition (CoS) shares attributes between entries in a way that is transparent to applications. CoS simplifies entry management and reduces storage requirements.

5.2.1. About CoS

Clients of the Directory Server read the attributes on a user's entry. With CoS, some attribute values may not be stored with the entry itself. Instead, they are generated by class of service logic as the entry is sent to the client application.

Each CoS is comprised of the following two types of entry in the directory:

CoS Definition Entry. The CoS definition entry identifies the type of CoS used. Like the role definition entry, it inherits from the LDAPsubentry object class. The CoS definition entry is below the branch at which it is effective.
Template Entry. The CoS template entry contains a list of the shared attribute values. Changes to the template entry attribute values are automatically applied to all the entries within the scope of the CoS. A single CoS might have more than one template entry associated with it.

The CoS definition entry and template entry interact to provide attribute information to their target entries, any entry within the scope of the CoS.

5.2.1.1. About the CoS Definition Entry

The CoS definition entry is an instance of the cosSuperDefinition object class. The CoS definition entry also contains an object class that specifies the type of template entry it uses to generate the entry. There are three different object classes which can be specified, depending upon the type of CoS. The target entries share the same parent as the CoS definition entry.

There are three types of CoS, defined using three types of CoS definition entries:

Pointer CoS. A pointer CoS identifies the template entry using the template DN only.
Indirect CoS. An indirect CoS identifies the template entry using the value of one of the target entry's attributes. For example, an indirect CoS might specify the manager attribute of a target entry. The value of the manager attribute is then used to identify the template entry.
The target entry's attribute must be single-valued and contain a DN.
Classic CoS. A classic CoS identifies the template entry using a combination of the template entry's base DN and the value of one of the target entry's attributes.

For more information about the object classes and attributes associated with each type of CoS, refer to Section 5.2.3, “Managing CoS from the Command-Line”.

If the CoS logic detects that an entry contains an attribute for which the CoS is generating values, the CoS, by default,supplies the client application with the attribute value in the entry itself. However, the CoS definition entry can control this behavior.

5.2.1.2. About the CoS Template Entry

The CoS template entry contains the value or values of the attributes generated by the CoS logic. The CoS template entry contains a general object class of cosTemplate. The CoS template entries for a given CoS are stored in the directory tree along with the CoS definition.

The relative distinguished name (RDN) of the template entry is determined by one of the following:

The DN of the template entry alone.
This type of template is associated with a pointer CoS definition.
The value of one of the target entry's attributes.
The attribute used to provide the relative DN to the template entry is specified in the CoS definition entry using the cosIndirectSpecifier attribute. This type of template is associated with an indirect CoS definition.
By a combination of the DN of the subtree where the CoS performs a one level search for templates and the value of one of the target entry's attributes.
This type of template is associated with a classic CoS definition.

5.2.1.3. How a Pointer CoS Works

An administrator creates a pointer CoS that shares a common postal code with all of the entries stored under dc=example,dc=com. The three entries for this CoS appear as illustrated in Figure 5.1, “Sample Pointer CoS”.

Figure 5.1. Sample Pointer CoS

In this example, the template entry is identified by its DN, cn=exampleUS,cn=data, in the CoS definition entry. Each time the postalCode attribute is queried on the entry cn=wholiday,ou=people,dc=example,dc=com, the Directory Server returns the value available in the template entry cn=exampleUS,cn=data.

5.2.1.4. How an Indirect CoS Works

An administrator creates an indirect CoS that uses the manager attribute of the target entry to identify the template entry. The three CoS entries appear as illustrated in Figure 5.2, “Sample Indirect CoS”.

Figure 5.2. Sample Indirect CoS

In this example, the target entry for William Holiday contains the indirect specifier, the manager attribute. William's manager is Carla Fuentes, so the manager attribute contains a pointer to the DN of the template entry, cn=Carla Fuentes,ou=people,dc=example,dc=com. The template entry in turn provides the departmentNumber attribute value of 318842.

5.2.1.5. How a Classic CoS Works

An administrator creates a classic CoS that uses a combination of the template DN and a CoS specifier to identify the template entry containing the postal code. The three CoS entries appear as illustrated in Figure 5.3, “Sample Classic CoS”:

Figure 5.3. Sample Classic CoS

In this example, the CoS definition entry's cosSpecifier attribute specifies the employeeType attribute. This attribute, in combination with the template DN, identify the template entry as cn=sales,cn=exampleUS,cn=data. The template entry then provides the value of the postalCode attribute to the target entry.

5.2.1.6. Searches for CoS-Specified Attributes

CoS definitions provide values for attributes in entries. For example, a CoS can set the postalCode attribute for every entry in a subtree. Searches against those CoS-defined attributes, however, do not behave like searches against regular entries.

If the CoS-defined attribute is indexed with any kind of index (including presence), then any attribute with a value set by the CoS is not returned with a search. For example:
- The postalCode attribute for Ted Morris is defined by a CoS.
- The postalCode attribute for Barbara Jensen is set in her entry.
- The postalCode attribute is indexed.
If an ldapsearch command uses the filter (postalCode=*), then Barbara Jensen's entry would be returned, while Ted Morris's would not.
If the CoS-defined attribute is not indexed, then every matching entry is returned in a search, regardless of whether the attribute value is set locally or with CoS. For example:
- The postalCode attribute for Ted Morris is defined by a CoS.
- The postalCode attribute for Barbara Jensen is set in her entry.
- The postalCode attribute is not indexed.
If an ldapsearch command uses the filter (postalCode=*), then both Barbara Jensen's and Ted Morris's entries are returned.
CoS allows for an override, an identifier given to the cosAttribute attribute in the CoS entry, which means that local values for an attribute can override the CoS value. If an override is set on the CoS, then an ldapsearch operation will return a value for an entry even if the attribute is indexed, as long as there is a local value for the entry. Other entries which possess the CoS but do not have a local value will still not be returned in the ldapsearch operation.

Because of the potential issues with running LDAP search requests on CoS-defined attributes, take care when deciding which attributes to generate using a CoS.

5.2.2. Managing CoS Using the Console

This section describes creating and editing CoS through the Directory Server Console. It includes the following sections:

5.2.2.1. Creating a New CoS

In the Directory Server Console, select the Directory tab.
Browse the tree in the left navigation pane, and select the parent entry for the new class of service.
Go to the Object menu, and select New > Class of Service.
Alternatively, right-click the entry and select New > Class of Service.
The Create New Class of Service dialog opens.
Select General in the left pane. In the right pane, enter the name of the new class of service in the Class Name field. Enter a description of the class in the Description field.
Click Attributes in the left pane. The right pane displays a list of attributes generated on the target entries.
Click Add to browse the list of possible attributes and add them to the list.
After an attribute is added to the list, a drop-down list appears in the Class of Service Behavior column.
- Select Does not override target entry attribute to tell the directory to only return a generated value if there is no corresponding attribute value stored with the entry.
- Select Overrides target entry attribute to make the value of the attribute generated by the CoS override the local value.
- Select Overrides target entry attribute and is operational to make the attribute override the local value and to make the attribute operational, so that it is not visible to client applications unless explicitly requested.
- Select Does not override target entry attribute and is operational to tell the directory to return a generated value only if there is no corresponding attribute value stored with the entry and to make the attribute operational (so that it is not visible to client applications unless explicitly requested).
NOTE
An attribute can only be made operational if it is also defined as operational in the schema. For example, if a CoS generates a value for the description attribute, you cannot select Overrides target entry attribute and is operational because this attribute is not marked operational in the schema.
Click Template in the left pane. In the right pane, select how the template entry is identified.
- By its DN. To have the template entry identified by only its DN (a pointer CoS), enter the DN of the template in the Template DN field. Click Browse to locate the DN on the local server. This will be an exact DN, such as cn=CoS template,ou=People,dc=example,dc=com.
- Using the value of one of the target entry's attribute. To have the template entry identified by the value of one of the target entry's attributes (an indirect CoS), enter the attribute name in the Attribute Name field. Click Change to select a different attribute from the list of available attributes.
- Using both its DN and the value of one of the target entry's attributes. To have the template entry identified by both its DN and the value of one of the target entry's attributes (a classic CoS), enter both a template DN and an attribute name. The template DN in a classic CoS is more general than for a pointer CoS; it references the suffix or sub suffix where the template entries will be (there can be more than one template).
Click OK.

5.2.2.2. Creating the CoS Template Entry

For a pointer CoS or a classic CoS, there must be a template entry, according to the template DN set when the class of service was created. Although the template entries can be placed anywhere in the directory as long as the cosTemplateDn attribute reflects that DN, it is best to place the template entries under the CoS itself.

For a pointer CoS, make sure that this entry reflects the exact DN given when the CoS was created. For a classic CoS, the template DN should be recursive, pointing back to the CoS entry itself as the base suffix for the template.

In the Directory Server Console, select the Directory tab.
Browse the tree in the left navigation pane, and select the parent entry that contains the class of service.
The CoS appears in the right pane with other entries.
Right-click on the CoS and select New > Other.
Select cosTemplate from the list of object classes.
NOTE
The LDAPsubentry object class can be added to a new template entry. Making the CoS template entry an instance of the LDAPsubentry object class allows ordinary searches to be performed unhindered by the configuration entries. However, if the template entry already exists and is used for something else (for example, if it is a user entry), the LDAPsubentry object class does not need to be added to the template entry.
The Property Editor opens.
Select the object classes attribute, and hit Add Value. Add the extensibleObject object class. This makes it possible to add any attribute available in the directory.
Click on the Add Attribute button.
Add the cn attribute, and give it a value that corresponds to the attribute value in the target entry. For example, if the manager attribute is used to set the value for a classic CoS, give the cn a value of uid=bparker,ou=people,dc=example,dc=com. Alternatively, set it to a role, such as cn=QA Role,dc=example,dc=com or a regular attribute value. For example, if the employeeType attribute is selected, it can be full time or temporary.
Click the Add Attribute button, and add the attributes listed in the CoS. The values used here will be used throughout the directory in the targeted entries.
Set the cospriority. There may be more than one CoS that applies to a given attribute in an entry; the cospriority attribute ranks the importance of that particular CoS. The higher cospriority will take precedence in a conflict. The highest priority is 0.
Templates that contain no cosPriority attribute are considered the lowest priority. In the case where two or more templates are considered to supply an attribute value and they have the same (or no) priority, a value is chosen arbitrarily. The behavior for negative cosPriority values is not defined in Directory Server; do not enter negative values. Also, the cosPriority attribute is not supported by indirect CoS.
Hit save.

The CoS will be visible in the left navigation pane once there are entries beneath it. For classic CoS, there can be multiple entries, according to the different potential values of the attribute specifier.

5.2.2.3. Editing an Existing CoS

To edit the description or attributes generated on the target entry of an existing CoS, do the following:

In the Directory Server Console, select the Directory tab.
Browse the tree in the left navigation pane, and select the parent entry that contains the class of service.
The CoS appears in the right pane with other entries.
Double-click the CoS.
The Edit Entry dialog box appears.
Click General in the left pane to change the CoS name and description.
Click Attributes in the left pane to add or remove attributes generated by the CoS.
Click OK.
The target entries of the CoS are automatically updated.

5.2.2.4. Deleting a CoS

In the Directory Server Console, select the Directory tab.
Browse the tree in the left navigation pane, and select the parent entry that contains the class of service.
The CoS appears in the right pane with other entries.
Right-click the CoS, and select Delete. A dialog box appears to confirm the deletion. Click Yes.

5.2.3. Managing CoS from the Command-Line

Because all configuration information and template data is stored as entries in the directory, standard LDAP tools can be used for CoS configuration and management. This section contains the following topics:

5.2.3.1. Creating the CoS Definition Entry from the Command-Line

Each type of CoS requires a particular object class to be specified in the definition entry. All CoS definition object classes inherit from the LDAPsubentry object class and the cosSuperDefinition object class. Table 5.2, “CoS Definition Entry Object Classes” lists the object classes associated with each type of CoS definition entry.

CoS Type	Object Classes	Description
Pointer CoS	cosPointerDefinition	Identifies the template entry associated with the CoS definition using the template entry's DN value. The DN of the template entry is specified in the `cosTemplateDn` attribute.
Indirect CoS	cosIndirectDefinition	Identifies the template entry using the value of one of the target entry's attributes. The attribute of the target entry is specified in the `cosIndirectSpecifier` attribute.
Classic CoS	cosClassicDefinition	Identifies the template entry using both the template entry's DN (as specified in the `cosTemplateDn` attribute) and the value of one of the target entry's attributes (as specified in the `cosSpecifier` attribute).

Table 5.2. CoS Definition Entry Object Classes

Table 5.3, “CoS Definition Entry Attributes” lists attributes that available to use in the CoS definition entries.

Attribute	Definition
cosAttribute	Provides the name of the attribute for which to generate a value. There can be more than one `cosAttribute` value. This attribute is used by all types of CoS definition entries.
cosIndirectSpecifier	Specifies the attribute value used by an indirect CoS to identify the template entry.
cosSpecifier	Specifies the attribute value used by a classic CoS, which, along with the template entry's DN, identifies the template entry.
cosTemplateDn	Provides the DN of the template entry associated with the CoS definition. Used for pointer CoS and classic CoS only.

Table 5.3. CoS Definition Entry Attributes

The cosAttribute attribute allows an additional qualifier after the attribute value. There are four possible qualifiers:

Default. This qualifier indicates that the server only returns a generated value if there is no corresponding attribute value stored with the entry.
Override. This qualifier indicates that the server always returns the value generated by the CoS, even when there is a value stored with the entry.
Operational. This qualifier indicates that the attribute will only be returned if it is explicitly requested in the search. Operational attributes do not need to pass a schema check in order to be returned. When operational is used as a qualifier, it works as if override and operational were specified.
NOTE
An attribute can only be made operational if it is also defined as operational in the schema. For example, if the CoS generates a value for the description attribute, it is not possible to use the operational qualifier because this attribute is not marked operational in the schema.
Operational-default. This qualifier indicates that the server only returns a generated value if there is no corresponding attribute value stored with the entry and if it is explicitly requested in the search.

If no qualifier is set, default is assumed.

For example, a pointer CoS definition entry that contains an override qualifier is created as follows:

dn: cn=pointerCoS,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosPointerDefinition
cosTemplateDn: cn=exampleUS,ou=data,dc=example,dc=com
cosAttribute: postalCode override

This pointer CoS definition entry indicates that it is associated with a template entry, cn=exampleUS,ou=data,dc=example,dc=com, that generates the value of the postalCode attribute. The override qualifier indicates that this value will take precedence over the value stored by the entries for the postalCode attribute.

NOTE

If an entry contains an attribute value generated by a CoS, the value of the attribute cannot be manually updated if it is defined with the operational or override qualifiers.

For more information about the attributes, refer to the Directory Server Configuration, Command, and File Reference.

Table 5.4, “CoS Definitions” describes the CoS definition for each type of CoS.

CoS Type CoS definition

Pointer CoS

CoS Type	CoS definition
Pointer CoS	objectclass: top objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn:`DN_string` cosAttribute:`list_of_attributes qualifier`
Indirect CoS	objectclass: top objectclass: cosSuperDefinition objectclass: cosIndirectDefinition cosIndirectSpecifier:`attribute_name` cosAttribute:`list_of_attributes qualifier`
Classic CoS	objectclass: top objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn:`DN_string` cosSpecifier:`attribute_name` cosAttribute:`list_of_attributes qualifier`

objectclass: top 
objectclass: cosSuperDefinition 
objectclass: cosPointerDefinition 
cosTemplateDn:DN_string
cosAttribute:list_of_attributes qualifier

Indirect CoS

objectclass: top 
objectclass: cosSuperDefinition 
objectclass: cosIndirectDefinition 
cosIndirectSpecifier:attribute_name
cosAttribute:list_of_attributes qualifier

Classic CoS

objectclass: top 
objectclass: cosSuperDefinition 
objectclass: cosClassicDefinition 
cosTemplateDn:DN_string
cosSpecifier:attribute_name
cosAttribute:list_of_attributes qualifier

Table 5.4. CoS Definitions

CoS definition entries are operational entries and are not returned by default with regular searches. This means that if a CoS is defined under ou=People,dc=example,dc=com, for example, the following ldapsearch command will not return them:

ldapsearch -s sub -b ou=People,dc=example,dc=com “(objectclass=*)”

To return the CoS definition entries, add the ldapSubEntry object class to the CoS definition entries. For example:

dn: cn=pointerCoS,ou=People,dc=example,dc=com
objectclass: top 
objectclass: cosSuperDefinition 
objectclass: cosPointerDefinition 
objectclass: ldapSubEntry 
cosTemplateDn: cn=exampleUS,ou=data,dc=example,dc=com
cosAttribute: postalCode override

Then use a special search filter, (objectclass=ldapSubEntry), with the search. This filter can be added to any other search filter using OR (|):

ldapsearch -s sub -b ou=People,dc=example,dc=com “(|(objectclass=*)(objectclass=ldapSubEntry))”

This search returns all regular entries in addition to CoS definition entries in the ou=People,dc=example,dc=com subtree.

NOTE

The Console automatically shows CoS entries.

5.2.3.2. Creating the CoS Template Entry from the Command-Line

Each template entry is an instance of the cosTemplate object class.

NOTE

Consider adding the LDAPsubentry object class to a new template entry. Making the CoS template entry an instance of the LDAPsubentry object classes allows ordinary searches to be performed unhindered by the configuration entries. However, if the template entry already exists and is used for something else, such as a user entry, the LDAPsubentry object class does not need to be added to the template entry.

The CoS template entry also contains the attribute generated by the CoS (as specified in the cosAttribute attribute of the CoS definition entry) and the value for that attribute.

For example, a CoS template entry that provides a value for the postalCode attribute follows:

dn:cn=exampleUS,ou=data,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
postalCode: 44438

It is possible to create CoS templates that compete with each other to provide an attribute value. For example, there can be a multi-valued cosSpecifier attribute in the CoS definition entry. Specifying the template priority on each template entry determines which template provides the attribute value. Set the template priority using the cosPriority attribute. This attribute represents the global priority of a particular template. A priority of zero is the highest priority.

For example, a CoS template entry for generating a department number appears as follows:

dn: cn=data,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
departmentNumber: 71776
cosPriority: 0

This template entry contains the value for the departmentNumber attribute. It has a priority of zero, meaning this template takes precedence over any other conflicting templates that define a different departmentNumber value.

Templates that contain no cosPriority attribute are considered the lowest priority. Where two or more templates are considered to supply an attribute value and they have the same (or no) priority, a value is chosen arbitrarily. The behavior for negative cosPriority values is not defined in Directory Server; do not enter negative values. Also, the cosPriority attribute is not supported by indirect CoS.

The following sections provide examples of template entries along with examples of each type of CoS definition entry.

5.2.3.3. Example of a Pointer CoS

Example Corporation's administrator is creating a pointer CoS that shares a common postal code with all entries in the dc=example,dc=com tree.

Add a new pointer CoS definition entry to the dc=example,dc=com suffix using ldapmodify:
```
ldapmodify -a -D "cn=directory manager" -w secret -h host -p 389
```
The ldapmodify utility binds to the server and prepares it to add information to the configuration file.

Next, add the pointer CoS definition to the dc=example,dc=com root suffix.

dn: cn=pointerCoS,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosPointerDefinition
cosTemplateDn: cn=exampleUS,ou=data,dc=example,dc=com
cosAttribute: postalCode

Create the template entry.

dn: cn=exampleUS,ou=data,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
postalCode: 44438

The CoS template entry (cn=exampleUS,ou=data,dc=example,dc=com) supplies the value stored in its postalCode attribute to any entries located under the dc=example,dc=com suffix. These entries are the target entries.

5.2.3.4. Example of an Indirect CoS

This indirect CoS uses the manager attribute of the target entry to identify the CoS template entry, which varies depending on the different values of the attribute.

Add a new indirect CoS definition entry to the dc=example,dc=com suffix, using ldapmodify as follows:
```
ldapmodify -a -D "cn=directory manager" -w secret -h host -p 389
```
The ldapmodify utility binds to the server and prepares it to add information to the configuration file.

Add the indirect CoS definition to the dc=example,dc=com root suffix as follows:

dn: cn=indirectCoS,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosIndirectDefinition
cosIndirectSpecifier: manager
cosAttribute: departmentNumber

If the directory or modify the manager entries already contain the departmentNumber attribute, then no other attribute needs to be added to the manager entries. The definition entry looks in the target suffix (the entries under dc=example,dc=com) for entries containing the manager attribute because this attribute is specified in the cosIndirectSpecifier attribute of the definition entry). It then checks the departmentNumber value in the manager entry that is listed. The value of the departmentNumber attribute will automatically be relayed to all of the manager's subordinates that have the manager attribute. The value of departmentNumber will vary depending on the department number listed in the different manager's entries.

5.2.3.5. Example of a Classic CoS

The Example Corporation administrator is creating a classic CoS that automatically generates postal codes using a combination of the template DN and the attribute specified in the cosSpecifier attribute.

Add a new classic CoS definition entry to the dc=example,dc=com suffix, using ldapmodify.
```
ldapmodify -a -D "cn=directory manager" -w secret -h host -p 389
```
The ldapmodify utility binds to the server and prepares it to add information to the configuration file.

Add the indirect CoS definition to the dc=example,dc=com root suffix.

dn: cn=classicCoS,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosClassicDefinition
cosTemplateDn: cn=classicCoS,dc=example,dc=com
cosSpecifier: businessCategory
cosAttribute: postalCode override

Create the template entries for the sales and marketing departments. Add the CoS attributes to the template entry. The cn of the template sets the value of the businessCategory attribute in the target entry, and then the attributes are added or overwritten according to the value in the template:
```
dn: cn=sales,cn=classicCoS,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
postalCode: 44438

dn: cn=marketing,cn=classicCoS,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
postalCode: 99111
```

The classic CoS definition entry applies to all entries under the dc=example,dc=com suffix. Depending upon the combination of the businessCategory attribute found in the entry and the cosTemplate DN, it can arrive at one of two templates. One, the sales template, provides a postal code specific to employees in the sales department. The marketing template provides a postal code specific to employees in the marketing department.

5.2.4. Creating Role-Based Attributes

Classic CoS schemes generate attribute values for an entry based on the role possessed by the entry. For example, role-based attributes can be used to set the server look-through limit on an entry-by-entry basis.

To create a role-based attribute, use the nsRole attribute as the cosSpecifier in the CoS definition entry of a classic CoS. Because the nsRole attribute can be multi-valued, CoS schemes can be defined that have more than one possible template entry. To resolve the ambiguity of which template entry to use, include the cosPriority attribute in the CoS template entry.

For example, this CoS allows members of the manager role to exceed the standard mailbox quota. The manager role entry is:

dn: cn=ManagerRole,ou=people,dc=example,dc=com
objectclass: top
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: ManagerRole
nsRoleFilter: o=managers
Description: filtered role for managers

The classic CoS definition entry looks like:

dn: cn=managerCOS,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosClassicDefinition
cosTemplateDn: cn=managerCOS,dc=example,dc=com
cosSpecifier: nsRole
cosAttribute: mailboxquota override

The cosTemplateDn attribute provides a value that, in combination with the attribute specified in the cosSpecifier attribute (in the example, the nsRole attribute of the target entry), identifies the CoS template entry. The CoS template entry provides the value for the mailboxquota attribute. An additional qualifier of override tells the CoS to override any existing mailboxquota attributes values in the target entry.

The corresponding CoS template entry looks as follows:

dn:cn="cn=ManagerRole,ou=people,dc=example,dc=com",cn=managerCOS,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: cosTemplate
mailboxquota: 1000000

The template provides the value for the mailboxquota attribute, 1000000.

NOTE

The role entry and the CoS definition and template entries should be located at the same level in the directory tree.

5.2.5. Access Control and CoS

The server controls access to attributes generated by a CoS in exactly the same way as regular stored attributes. However, access control rules depending upon the value of attributes generated by CoS will not work. This is the same restriction that applies to using CoS-generated attributes in search filters.