|
Schema Reference Netscape Directory Server |
|
||
|
|
Chapter 4 Operational Attributes, Special Attributes, and Special Object Classes
This chapter describes operational attributes used by Netscape Directory Server (Directory Server). Operational attributes are available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an
ldapsearchoperation if specifically requested. This chapter also describes some special attributes and object classes, that are used by the server. (When an object class inherits attributes from other object classes, the inherited attributes are shown in italics.)This chapter contains the following sections:
This refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.
This attribute is defined in Directory Server.
Used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.
This attribute is defined in Directory Server.
The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. You may cache this information in case your preferred LDAP server later becomes unavailable.
This attribute is defined in RFC 2252.
Multi-valued attribute that specifies the attribute types used within a subschema. Each value describes a single attribute.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Used by read-only replica to recognize master data source. Contains a reference to the server that holds the master data. Note that this attribute is only used for legacy replication. It is not used for multi master replication.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Used by read-only replica to recognize master data source while replication is in progess. Contains a reference to the server that holds the master data. Note that this attribute is only used for legacy replication. It is not used for multi master replication.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Multi-valued attribute that defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Multi-valued attribute that defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Multi-valued attribute that defines the matching rules used within a subschema. Each value defines one matching rule.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Used to indicate the attribute types to which a matching rule applies in a subschema.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Multi-valued attribute that defines the name forms used in a subschema. Each value defines one name form.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Corresponds to a naming context the server is mastering or shadowing. When the Directory Server does not master any information (for example, it is an LDAP gateway to a public X.500 directory), this attribute is absent. When the Directory Server believes it contains the entire directory, the attribute has a single value, and that value is the empty string (indicating the null DN of the root).This attribute permits a client contacting a server to choose suitable base objects for searching.
This attribute is defined in RFC 2252.
This attribute is a conflict marker attribute. It is included on entries that have a change conflict that cannot be resolved automatically by the replication process.
This attribute is defined in Directory Server.
DirectoryString, multi-valued.
This attribute is a computed attribute that is not stored with the entry itself. It identifies which roles an entry belongs to.
This attribute is defined in Directory Server.
This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is conferred upon an entry by adding the role's DN to the entry's nsRoleDN attribute.
dn: cn=staff,o=Netscape,o=example.com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsSimpleRoleDefinition
objectclass: nsManagedRoleDefinitiondn: cn=userA,ou=users,o=Netscape,o=example.com
objectclass: top
objectclass: person
sn: uA
userpassword: secret
nsroledn: cn=staff,o=Netscape,o=example.comA nested role specifies containment of one or more roles of any type. In that case, nsRoleDN defines the DN of the contained roles.
dn: cn=everybody,o=Netscape,o=example.com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
nsroledn: cn=manager,o=Netscape,o=example.com
nsroledn: cn=staff,o=Netscape,o=example.comThis attribute is defined in Directory Server.
Indicates now many immediate subordinates an entry has.
For example,
numSubordinates=0in a leaf entry.This attribute is defined in numSubordinates Internet Draft.
Multi-valued attribute that defines the object classes used in a subschema. Each value defines one object class.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Used to specify the length of time that must pass before the user is allowed to change their password.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
passwordChange (pwdAllowUserChange)
Specifies whether users may change their passwords.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
passwordCheckSyntax (pwdCheckSyntax)
Specifies whether the password syntax will be checked before the password is saved. (The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user's name or ID or any attribute value stored in the uid,
cn,sn,givenName,ou, orThis attribute is defined in Directory Server.
DirectoryString, single-valued.
Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the
passwordMaxAge (pwdMaxAge)attribute.This attribute is defined in Directory Server.
DirectoryString, single-valued.
Used to specify the length of time that passes before the user's password expires.
This attribute is defined in Directory Server.
GeneralizedTime, single-valued.
Used to indicate that a password expiration warning has been sent to the user.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Used to specify the number of (grace) login attempts that are allowed to a user after the password has expired.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Used to count the number of attempts the user has made with the expired password.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Contains the history of the user's previous passwords.
This attribute is defined in Directory Server.
passwordInHistory (pwdInHistory)
Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the Directory Server does not store any old passwords and so users can reuse passwords. You can enable password history by using the
passwordInHistory (pwdInHistory)attribute.To prevent users from rapidly cycling through the number of passwords that you are tracking, use the
passwordMinAgeattribute.This attribute is defined in Directory Server.
Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the
passwordMaxFailure (pwdMaxFailure)attribute.This attribute is defined in Directory Server.
DirectoryString, single-valued.
passwordLockoutDuration (pwdLockoutDuration)
Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the
passwordLockout (pwdLockOut)attribute.This attribute is defined in Directory Server.
Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the
passwordExpattribute.This attribute is defined in Directory Server.
passwordMaxFailure (pwdMaxFailure)
Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the
passwordLockout (pwdLockOut)attribute.This attribute is defined in Directory Server.
Indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the
passwordInHistory (pwdInHistory)attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.This attribute is defined in Directory Server.
passwordMinLength (pwdMinLength)
Specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down.
This attribute is defined in Directory Server.
passwordMustChange (pwdMustChange)
Indicates whether users must change their passwords when they first bind to the Directory Server, or when the password has been reset by the "Manager DN".
This attribute is defined in Directory Server.
DirectoryString, single-valued.
passwordResetFailureCount (pwdFailureCountInterval)
Indicates the amount of time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the
passwordLockout (pwdLockOut)attribute is set to on, users will be locked out of the directory when the counter reaches the number of failures specified by thepasswordMaxFailure (pwdMaxFailure)attribute (within 600 seconds by default). After the amount of time specified by thepasswordLockoutDuration (pwdLockoutDuration)attribute, the failure counter is reset to zero (0).This attribute is defined in Directory Server.
Used to count the number of consecutive failed attempts at entering the correct password.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Specifies the type of encryption used to store Directory Server passwords. Enter the password in CLEAR for this attribute indicates that the password will appear in plain text.
The following encryption types are supported by the Directory Server 6.x:
- SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure.
- SHA (Secure Hash Algorithm). This is the method supported by 4.x Directory Servers.
- CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. If this
passwordUnlockattribute is set to off and the operational attributeaccountUnlockTimehas a value of 0, then the account will be locked indefinitely.This attribute is defined in Directory Server.
DirectoryString, single-valued.
passwordWarning (pwdExpireWarning)
Indicates the number of seconds before a user's password is due to expire that the user will receive a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
This attribute is defined in Directory Server.
Points to the entry DN of the new password policy.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
Specifies the length of time that passes before the passwordRetryCount is reset.
This attribute is defined in Directory Server.
DirectoryString, single-valued.
DN of an entry that contains schema information.
This attribute is defined in RFC 2252.
The values of this attribute are the object identifiers (OIDs) that identify the controls supported by the server. When the server does not support controls, this attribute is absent.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
The values of this attribute are the object identifiers (OIDs) that identify the supported extended operations supported by the server. When the server does not support extensions, this attribute is absent.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
Identifies the versions of the LDAP protocol implemented by the server.
This attribute is defined in RFC 2252.
Identifies the names of supported SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent.
This attribute is defined in RFC 2252.
DirectoryString, multi-valued.
For add and modify operations, contains the changes made to the entry, in LDIF format.
This attribute is defined in Changelog Internet Draft.
The distinguished name of the entry which contains the set of entries comprising the servers changelog.
This attribute is defined in Changelog Internet Draft.
This single-valued attribute is always present. It contains an integer which uniquely identifies each change made to a directory entry. This number is related to the order in which the change occurred. The higher the number, the later the change.
This attribute is defined in Changelog Internet Draft.
Defines a time, in a YYMMDDHHMMSS format, when the entry was added.
This attribute is defined in Directory Server.
DirectoryString, multi-valued.
Specifies the type of LDAP operation. This attribute can have one of the following values: add, delete, modify, or modrdn.
This attribute is defined in Changelog Internet Draft.
DirectoryString, multi-valued.
In the case of
modrdnoperations, specifies whether the old RDN was deleted.This attribute is defined in Changelog Internet Draft.
In the case of
modrdnoperations, specifies the new RDN of the entry.This attribute is defined in Changelog Internet Draft.
In the case of
modrdnoperations, specifies thenewSuperiorattribute of the entry.This attribute is defined in Changelog Internet Draft.
Contains the DN of the entry that was affected by the LDAP operation. In the case of a
modrdnoperation, thetargetDnattribute contains the DN of the entry before it was modified or moved.This attribute is defined in Changelog Internet Draft.
Used to represent changes made to the Directory Server. You can configure Directory Server 6.x to maintain a change log that is compatible with the change log implemented in Directory Server 4.1x by enabling the retro change log plug-in. Each entry in the change log has the object class
changeLogEntry.This object class is defined in Changelog Internet Draft.
The distinguished name of an entry added, modified or deleted on a supplier server.
Stores password information for a user in the directory.
This object class is defined in Directory Server.
An auxilary object class subentry used to administer the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters used to express the subschema.
This object class is defined in RFC 2252.
© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.
Read the Full Copyright and Thrid-Party Acknowledgments.
Last Updated October 30, 2003